Threat Research

Alchimist: A new attack framework in Chinese for Mac, Linux and Windows

Securonix

Cisco Talos uncovers a new all-in-one offensive framework, Alchimist, with a GoLang-based C2 and a companion RAT called Insekt that targets Windows, Linux, and Mac, featuring a Chinese web UI and remote administration. The dropper/c2 stack includes MacOSX exploitation, a payload generator, and multiple off-the-shelf tools, highlighting the rise of all-inclusive, single-file C2 frameworks. #Alchimist #Insekt #GoLang #pkexec #polkit #CVE2021-4034 #MacOSX #Manjusaka

Keypoints

  • The Alchimist framework is a standalone GoLang-based C2 with an embedded Insekt RAT payload family for Windows and Linux, plus MacOSX exploitation tooling.
  • The Web UI is written in Simplified Chinese and can generate customized Insekt payloads, enabling remote control, payload deployment, screenshots, and remote command execution.
  • The framework uses multiple protocols (TLS, SNI, WSS/WS) for C2 communication and supports HTTPS-based beacons and web-based administration.
  • Insekt includes capabilities such as file/system discovery, arbitrary command execution, screenshot capture, SSH key manipulation, proxying, and port/IP scanning, with a CLI for RAT actions.
  • The package includes MacOSX/macOS and Linux dropper components that exploit CVE-2021-4034 (pkexec) for privilege escalation, and ships with dual-use tools like psexec and netcat for lateral movement.
  • Delivery and deployment workflows rely on Web UI-driven payload generation, intranet scanning (fscan), and embedded assets stored under /tmp/Res, with in-memory patching of payloads for execution.
  • The rise of all-inclusive, single-file C2 frameworks (e.g., Alchimist and Manjusaka) signals broader operator adoption of turnkey offensive tooling and remote administration capabilities.

MITRE Techniques

  • [T1071.001] Web Protocols – The implant supports connecting to the C2 over either WSS/WS, TLS or SNI protocols. “The implant supports connecting to the C2 over either WSS/WS, TLS or SNI protocols.”
  • [T1090] Proxy – Insekt can create “proxy” connections to other systems by its own mechanism or by simply using the socks5 protocol. “From the network point-of-view, Insekt can create ‘proxy’ connections to other systems by its own mechanism or by simply using the socks5 protocol.”
  • [T1059] Command and Scripting Interpreter – The RAT CLI contains capabilities to execute commands on the host. “execute arbitrary commands on the operating system shell” and supports multiple shells (PowerShell, bash, and cmd.exe). “interactive shells based on PowerShell, bash and cmd.exe.”
  • [T1059.001] PowerShell – PowerShell-based command execution as part of RAT capabilities. “PowerShell” in the CLI context. “interactive shells based on PowerShell, bash and cmd.exe.”
  • [T1059.004] Unix Shell – Bash-based command execution on Linux/macOS. “interactive shells based on … bash” (as part of the RAT CLI).
  • [T1113] Screen Capture – Insekt can start/stop taking screenshots. “Start/stop taking screenshots.”
  • [T1098] SSH Authorized Keys – Linux variant lists contents of .ssh and adds new SSH keys to authorized_keys. “lists contents of “.ssh” directory in the victim’s home directory and adds new SSH keys to the authorised_Keys file.”
  • [T1087/002] Account Discovery – Enumerates users and domains. “net user /domain” and “net group ‘domain admins’ /domain”
  • [T1021/001] Remote Services – Activates terminal services to facilitate remote access. “Activate terminal services”
  • [T1562/004] Impair Defenses – Modifies firewall settings to enable access. “Disable firewall” and “Change firewall rules to allow incoming connections on a specific tcp port”
  • [T1105] Ingress Tool Transfer – Payload generation and delivery involve downloading patched Insekt payloads. “the C2 accepts the configuration parameters … generates the customized Insekt payload” and later downloads the patched binary. “download the Insekt implant from http://45.32.132.166/msconfig.zip.”

Indicators of Compromise

  • [IPv4] IP addresses – 149.28.54.212, 95.179.246.73, 149.28.36.160, 45.76.68.112, 3.86.255.88, 18.167.90.252, 149.28.54.212 (repeat)
  • [Domain] domains – www.google.com, www.apple.com, github.com
  • [URL] download URL – http://45.32.132.166/msconfig.zip (scriptlet delivery)
  • [File] payloads & artifacts – shell.msi (shellcode), msconfig.zip (Insekt payloads)
  • [Certificate] TLS certificate details – serial 61b0feca645af9296aa422d2c289e1d13593dbb6; fingerprint 134a3d105eef24fab27ed0fb3729e271306bde6dc4e9d2a4a5c5d1c82b0390fe
  • [Host/Server] C2 endpoints & ports – host 149.28.54.212 and ports 8443, 50423
  • [Directory/Path] file drop locations – /tmp/Res, /tmp/Res/Payload, /tmp/Res/assets
  • [URL/Service] embedded payload delivery host – 45.32.132.166 (msconfig.zip)

Read more: https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html