A standalone Command and Control (C2) server called “Alchimist” was recently discovered by Cisco Talos. The framework has been designed to run attacks via standalone GoLang-based executables that can be distributed easily. The framework found by Talos contains both the whole web user interface and the payloads.
Go programming language, also known as GoLang, becomes increasingly popular for developers looking to compile their code on multiple different systems and architecture. As an example, we recently wrote about the Sliver offensive framework, fully written in Go. It is therefore no wonder that more cybercriminals are also adopting it.
Alchimist, whose name has been given by its developer, uses GoLang-based assets, which are custom-made embedded packages, to store all the resources needed for its operations as a C2 server. During initialization, all its content is placed in hard coded folders, namely /tmp/Res for the web interface, HTML files and more folders, and /tmp/Res/Payload for its payloads for Windows and Linux operating systems.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
A self-signed certificate without any server name is also dropped in the /tmp folder (Figure A), together with its key for use in HTTPS communications. That certificate could be found on five different IP addresses on the Internet at the time of the research, all of them used for Alchimist.
The Web interface
The Alchimist framework user web interface is written in English and simplified Chinese languages (Figure B).
Most common features expected to handle Remote Administration Tool (RAT) malware are implemented in the interface, yet one stands out according to the researchers: The ability to generate PowerShell and wget code snippets for Windows and Linux systems. These commands might be embedded in malicious documents, LNK files or any other kind of files used for initial compromise, and download/install the additional payload provided by the framework: the Insekt RAT.
Several parameters are taken from the web user interface to generate the final payload. Those parameters are:
- The protocol to be used: TLS, SNI or WSS/WS.
- The remote C2 host IP address or URL
- The targeted platform type: Windows or Linux
- A daemon flag to indicate if the Insekt RAT payload needs to be run as a daemon (a background running process)
- A predomain value, for the SNI protocol
Once configured, the web interface sends a request to a URL of the current C2 server to request a new payload that is downloadable.
The Insekt payload
Insekt RAT is written in GoLang and compiled for Windows and Linux. The RAT provides the ability to get information about the operating system it runs on and file sizes information, sleep for predefined periods or upgrade itself.
In addition, it provides more aggressive functions such as providing a command-line cmd.exe to execute arbitrary commands. It also allows for executing commands as another user, executing shellcode, scanning IP addresses and ports, manipulating Secure Shell (SSH) keys, or enabling proxying. It is also able to enumerate files in a directory path.
The Linux version of Insekt also allows users to add new SSH keys to the authorized_Keys file, therefore allowing the attacker to communicate with the victimized machine over SSH.
Predefined sets of commands are also usable for the attacker’s ease, enabling faster interactions and avoiding typing mistakes.
MacOSX also targeted
Alongside Alchimist and Insekt, the researchers found tools for privilege elevation and exploitation on MacOSX platforms.
A Mach-O file found in the main folder allows to trigger an exploit for a privilege escalation vulnerability (CVE-2021-4034) on the pkexec utility, which is not installed on MacOSX by default. A bind shell backdoor is also available in that executable, to provide a remote shell to the threat actor.
More all-inclusive C2 frameworks probably to come and hit several different operating systems
More of such attack frameworks have been found lately. Manjusaka, a Chinese sibling of Sliver and Cobalt Strike, appeared in 2022, programmed in GoLang for its C2 part, while the payloads were made in Rust programming language. Rust, like GoLang, enables a developer to compile code on several different platforms very easily. It is expected to see more multiplatform frameworks written in Go and Rust programming languages.
The discovery of Alchimist stands as another indication that “threat actors are rapidly adopting off-the-shelf C2 frameworks to carry out their operations,” according to Cisco Talos.
The ease of use of such a framework will probably entice malware developers and threat actors to use more of those in the near future.
What can be done against this threat?
Security software should be deployed in order to detect the payloads and possible communications to Alchimist C2. The self-signed certificate used by the framework should raise immediate alerts when found in HTTPS communications.
Operating systems and software need to be kept up to date and patched, in order to avoid attackers using common vulnerabilities to compromise a system and get an initial foothold.
Multi-factor authentication also needs to be deployed for every internet-facing device or service, in order to avoid attacks using a single credential for access.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.