Cisco Talos researchers came across a new attack and C2 framework known as Alchimist, which is capable of targeting macOS, Windows, and Linux. Furthermore, researchers spotted a new malware, named Insekt—an Alchimist's beacon implant—with remote administration functionalities. Both the binaries are implemented in Golang.
Diving into details
- Alchemist is an easy-to-use framework that allows its operators to generate and configure payloads that can capture screenshots remotely, perform remote shellcode execution, and run arbitrary commands.
- It supports a custom infection mechanism for dropping the Insekt RAT on devices.
- While Alchimist C2 servers deliver commands to be executed, Insekt executes them on infected devices.
- In addition to this, the RAT can serve as a proxy, perform port and IP scans, manipulate SSH keys, and execute shellcode.
Why this matters
The Alchimist framework is another in line of frameworks that offers less-sophisticated threat actors the opportunity to launch their own attacks. Moreover, these kinds of frameworks have high quality, rich features, good detection evasion capabilities, and effective implant-dropping functions. Even advanced cybercriminals can use Alchimist to minimize their operational expenditures or coordinate with random malicious traffic to evade attribution.
Lowering the entry barrier
- Lately, a new PhaaS platform was introduced, dubbed Caffeine, that features open registration. This implies that anyone, including wannabe threat actors, can launch sophisticated phishing campaigns.
- Last month, researchers discovered another PhaaS platform, named EvilProxy, that allows hackers to bypass MFA. The service is offered on a subscription basis and can compromise Facebook, Apple, Google, and GitHub customer accounts, among others.
The bottom line
The discovery of Alchimist demonstrates how rapidly bad actors are adopting off-the-shelf C2 frameworks to conduct their operations. Once they gain privileged access to victims’ systems, they can cause significant impacts on victim organizations.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/f512_Blog_BlackBasta_V02.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/683c_shutterstock_1757131340.jpg)
