Threat Management, Malware

Researchers detail new C2 attack framework targeting Windows, macOS and Linux

A Cisco logo sits illuminated at a conference.
Cisco Talos researchers detailed a new attack framework being used to target Windows, Linux and Mac operating systems. (Photo by David Ramos/Getty Images)

Researchers have discovered a new Chinese-language single-file command-and-control (C2) attack framework being widely used in attacks targeting Windows, Linux and Mac machines.

The framework called "Alchimist" is a 64-bit Linux executable written in GoLang and loaded with resources for web interface and Inseket RAT payloads compiled for Windows and Linux, according to a new report from Cisco Talos.

"Alchimist C2 has a web interface written in simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands," the report noted.

The framework shares similarities with a separate tool called Manjusaka that Cisco Talos discovered in August: both are single-file based with the implants and the web interfaces, and both are written in Chinese. But there are differences when it comes to implementation.

While Manjusaka authors use Gin web framework and packr, an asset bundling framework, to place and store the implants, Alchimist developers implemented all its functionality using basic GoLang features.

In addition, Cisco Talos researchers found that apart from the regular HTTP/S, Alchimist also supports protocols like SNI, WSS/WS. Manjusaka, on the other hand, only supports HTTP despite SNI, WSS/WS being mentioned in its documentation.

"Both frameworks are gaining popularity with threat actors across the world as many look to diversify their arsenal from popular tools, such as Cobalt Strike and Sliver," according to a Cisco Talos threat researcher.

In response to this attack framework, the Cisco Talos researcher suggested that defenders should implement a layered security model that detects and blocks threats across different attack surfaces, such as endpoint, email and network. Security teams should be on the lookout for unusual traffic and be cautious of endpoints reaching out and talking to suspicious external servers.

Researchers also found a malicious executable written in GoLang for macOS on an active C2 server they analyzed. The executable performs like a malware dropper that contains an exploit for a privilege escalation vulnerability (CVE-2021-4034) in polkit's pkexec utility.

"However, this utility is not installed on MacOSX by default, meaning the elevation of privileges is not guaranteed. Along with the exploit, the dropper would bind a shell to a port providing the operators with a remote shell on the victim machine," the report read.

Michael Daniel, president and CEO of Cyber Threat Alliance, told SC Media that it is likely that Chinese criminal groups want a framework like Alchimist to make it easier for affiliates to use them as it does not require English-language skills.

"Chinese government cyber actors frequently use commodity criminal tools to carry out their activities in order to make attribution more difficult, but I wouldn't read too much into this finding other than there is a market for malware that can be easily operated by Chinese-language speakers," Daniel added.

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.