One Article Review
| Source |  CISCO Talos |
|---|---|
| Identifiant | 7433830 |
| Date de publication | 2022-10-13 08:00:07 (vue: 2022-10-13 13:06:16) |
| Titre | Alchimist: A new attack framework in Chinese for Mac, Linux and Windows |
| Texte |  By Chetan Raghuprasad, Asheer Malhotra and Vitor Ventura, with contributions from Matt Thaxton.Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities.The Alchimist has a web interface in Simplified Chinese with remote administration features.The attack framework is designed to target Windows, Linux and Mac machines. Alchimist and Insekt binaries are implemented in GoLang.This campaign consists of additional bespoke tools such as a MacOS exploitation tool, a custom backdoor and multiple off-the-shelf tools such as reverse proxies. Cisco Talos has discovered a new single-file command and control (C2) framework the authors call "Alchimist [sic]." Talos researchers found this C2 on a server that had a file listing active on the root directory along with a set of post-exploitation tools.Cisco Talos assesses with moderate-high confidence that this framework is being used in the wild. "Alchimist" is a 64-bit Linux executable written in GoLang and packed with assets including resources for the web interface and Insekt RAT payloads compiled for Windows and Linux. Insekt RAT, a new trojan Cisco Talos discovered, is Alchimist's beacon implant written in GoLang and has a variety of remote access capabilities that can be instrumented by the Alchimist C2 server.Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands. Among the remaining tools, Cisco Talos found a Mach-O dropper embedded with an exploit to target a known vulnerability CVE-2021-4034, a privilege escalation issue in polkit's pkexec utility, and a Mach-O bind shell backdoor. The Qualys Research Team discovered CVE-2021-4034 in November 2021, and in January 2022, the U.S.'s National Security Agency Cybersecurity Director warned that the vulnerability was being exploited in the wild. The server also contained dual-use tools like psexec and netcat, along with a scanning tool called "fscan," which the author defines as an "intranet scanning tool," essentially all the necessary tools for lateral movement. Alchimist framework The attack framework we discovered during the course of this research consists of a standalone C2 server called "Alchimist" and its corresponding implants the authors call the "Insekt" RAT family.Alchimist isn't the first self-contained framework we've discovered recently, with Manjusaka being another single file-based C2 framework disclosed by Talos recently. Both follow the same design philosophy, albeit implemented in different ways, to the point where they both seem to have the same list of requirements despite being implemented by different programmers. However, Manjusaka and Alchimist have virtually the same set of feat |
| Envoyé | Oui |
| Condensat | /add /domain /pay /random /tmp /tmp/res/ /tmp/res/payload /tmp/res/payloads/ 0multios 0unix 0win 1123 132 134a3d105eef24fab27ed0fb3729e271306bde6dc4e9d2a4a5c5d1c82b0390fe 139 149 160 166 166/msconfig 167 179 2003 2021 2022 212 246 252 255 2unix 4034 443 445 50423 58955 58956 61b0feca645af9296aa422d2c289e1d13593dbb6 8443 9951522 9951523 9951524 9951525 9951526 9955436 9955440 9955784 9961177 :// ability about accept accepts access accessible accessing action action=allow actions activate active activity actor actors adaptive add added additional address addresses addresses/ports adds admin administration administrators admins adopting advantage advfirewall advised after again agency albeit alchimist alchimist: alchimistassetsalchimist all allow along already also among amp analysis analytics another any apart apple appliance appliances approach approaches arbitrary archive are army artifacts asheer assesses asset assets assign associated attack attacker attacks attempting attempts authentication author authorised authorized authors automatically available backdoor backdoors based bash basic beacon been before being below bespoke binaries binary bind bit block blocks both build builds bundling but call called campaign can cannot capabilities capabilities: capability capture carry carrying case cases cautious center certificate certificate: change check checks chetan chinese cisco clamav cli close cmd code coded codes com command commands common communicate communicated communication communications compilation compile compiled completely comprises confidence configuration configuration: configured connect connecting connection connections connectivity consist consists constantly construct contain contained containing contains contents context contributions control controlled controllers corporate corresponding could course coverageways create creates current custom customers customized cve cybersecurity daemon dangerous data date decision default defense defined defines deliver delivery deploy described description design designed despite destination detailed details detect detects developers differences different dir=in directed director directories directory disable disclosed discovered discovery disk distributed distributing documentation doesn domain domains down download downloaded downloading dropper dropping drops dual dummy dummy/skeleton dumps duo during ease effectively effects either elevation elf elfx64 email emails embed embedded enabling endpoint endpoints ensure entry enumerate environment environments escalation essentially establish establishing etc even eventual every exe executable executables execute execution exfiltration exhibiting expect exploit exploitation exploitationthe exploited extraction extracts factor family fast fdenytsconnections feature features file files find fingerprint firepower firewall first five flag: flags follow following foothold formerly forwarding found framework frameworks frameworksour free from frp fscan function functionalities functionality gain gaining gateway generate generated generates generating generation generationalchimist get gin github github: golang google grid group guaranteed had hand handlers hard hardcoded has have having helper here high hits home host hosts hot hour however html http http/s https icmp ideally identifies implant implanting implantinsekt implants implement implementations implemented implements includes including inclusive incoming index indexes indicates indication infected infection infections information infrastructure infrastructurethe initial initialization initiate initiating inputs insekt inside insket installed instrumented interactive interface interfaces internet interval intranet ioc iocsthe ip/url ips isn issue issued its january json key keys knife known lateral latest launches layered lie like line linux list listed listing lists lnk localgroup localhost localport= location locations logic look looking mac mach machine machines macos macosx made main major maldoc malhotra malicious malware managed management managing manipulati |
| Tags | Malware Tool Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.