Alchimist Cyber Threat attack framework

Researchers have discovered an alarming framework targeting Windows, Linux, and Mac systems that they assess is likely already being used in the wild.

The framework consists of a brand new C2 tool called Alchimist, a previously known known to be Insekt RAT. Researchers described Alchimist as another example of threat actors trying to develop alternatives to popular post-exploit tools such as Cobalt Strike and, more recently, Sliver. 

Alchimist a 64-bit Linux executable written in GoLang with a Web interface written in Simplified Chinese, the official written script for mainland China. The Insekt RAT, Alchimist’s primary implant, is also implemented in GoLang. The malware features several remotely accessible capabilities that allow it to be customized via the C2 server.

Alchimist is capable of creating a configured payload, establish remote sessions, deploy payloads to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands and Mac exploits known vulnerability in a root program associated with major Linux distributions (CVE-2021-4034).

The Insekt RAT implants that Alchimist generates features a wide range of capabilities that essentially makes it a Swiss Army knife for the attackers on the infected system.

Researchers compared the Alchimist framework with another attack framework dubbed Manjusaka. In a report in August, the company described Manjusaka as a Chinese sibling of Cobalt Strike and Sliver. Both framework are stand-alone, single-file-based C2 frameworks with similar design philosophies but different implementations.

C2 Servers

• 149[.]28[.]54[.]212
• 95[.]179[.]246[.]73
• 149[.]28[.]36[.]160
• 45[.]76[.]68[.]112
• 3[.]86[.]255[.]8