Researchers have found a new all-in-one, single file C2 framework that can generate RAT payloads for Windows and Linux machines. The framework is written in Chinese and the same server on which the researchers discovered it included post-exploitation tools and a custom backdoor.
The framework is called Alchimist and it bears a strong resemblance to a separate tool called Manjusaka that Cisco Talos researchers discovered in August. Both are written in Chinese in the Go programming language and both come in the form of a single executable file that includes the implants and the web interfaces. But there are differences, as well, and the two do not operate in exactly the same way. Alchimist is designed to give the operator stealthy control over the target machine, as well as the ability to move laterally across any networks that it may be connected to.
“Insekt RAT, a new trojan Cisco Talos discovered, is Alchimist’s beacon implant written in GoLang and has a variety of remote access capabilities that can be instrumented by the Alchimist C2 server,’ Talos researchers said in a new analysis of the discovery.
“Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands.”
The implants known as Insekt have a wide range of capabilities typical of most RATs. It can gather information about the infected machine, run arbitrary commands, take screenshots, and perform other tasks. There are Insekt implants for Linux and Windows, and the Linux version gives the operator the ability to add a new SSH key to the infected machine’s directory so that it can communicate with the C2 server over SSH.
“From the network point-of-view, Insekt can create ‘proxy’ connections to other systems by its own mechanism or by simply using the socks5 protocol. Insekt also includes a module that implements the different commands that can be issued by the operators. In particular, it implements interactive shells based on PowerShell, bash and cmd.exe. It also has the ability to accept command codes from the Alchimist C2 to execute a predefined set of commands on the victim system,” Cisco Talos researchers wrote in a new analysis of Alchimist and Insekt.
On the same server where the Alchimist framework was discovered, the researchers also found a number of other tools, some of which are freely available online, and others that are custom. One of the custom tools is designed for exploitation of macOS machines.
“The Mach-O file discovered in the open directory is a 64-bit executable written in GoLang embedded with an exploit and a bind shell backdoor. The dropper contains an exploit for a privilege escalation vulnerability (CVE-2021-4034) in polkit's pkexec utility. However, this utility is not installed on MacOSX by default, meaning the elevation of privileges is not guaranteed,” the Talos report says.
“Along with the exploit, the dropper would bind a shell to a port providing the operators with a remote shell on the victim machine. The same exploit was also found for Linux.”
The discovery of both Manjusaka and Alchimist in the space of less than two months may point to an increase in adoption of ready made C2 frameworks by attackers. There’s little point in building a custom framework if other people have already done the work for you.
“The functionality of Manjusaka and Alchimist’s web interfaces exhibiting remote administration capabilities, performed through the RATs, signifies the plethora of functionalities packed into these C2 frameworks. A threat actor gaining privileged shell access on a victim’s machine is like having a Swiss Army knife, enabling the execution of arbitrary commands or shellcodes in the victim’s environment, resulting in significant effects on the target organization,” the Talos analysis says.