A beforehand undocumented command-and-manage (C2) framework dubbed Alchimist is most likely currently being used in the wild to focus on Windows, macOS, and Linux devices.
The Alchimist C2 can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands.
The security form also found additional tools, such as a Mach-O dropper embedded with an exploit for the PwnKit CVE-2021-4034 ) flaw and a Mach-O bind shell backdoor.
The attack framework is advertised as an imitation of the Cobalt Strike framework, the experts reported that the implants for the new malware family are written in the Rust language for Windows and Linux.
The trojan, for its component, is equipped with options commonly current in backdoors of this sort, enabling the malware to get procedure details, capture screenshots, run arbitrary instructions, and download distant documents, among the others.
The Linux edition of Insekt is capable of listing the contents of the “.ssh” listing and even including new SSH keys to the “~/.ssh/licensed_keys” file to aid remote entry in excess of SSH.
But in a indicator that the danger actor at the rear of the procedure also has macOS in their sights, Talos explained it uncovered a Mach-O dropper that exploits the PwnKit vulnerability (CVE-2021-4034) to accomplish privilege escalation.
“Nonetheless, this [pkexec] utility is not installed on MacOSX by default, which means the elevation of privileges is not certain,” Talos famous.
The overlapping features Manjusaka and Alchimist factors to an uptick in the use of “all-inclusive C2 frameworks” that can be utilised for remote administration and command-and-handle.
IOCS
45.32.132.166 149.28.54.212 95.179.246.73 149.28.36.160 http://45.32.132.166/client_ http://45.32.132.166/ http://45.32.132.166/psexec64.exe http://45.32.132.166/frpc http://45.32.132.166/down.sct http://45.32.132.166/client_arm http://45.32.132.166/fs21774b77bbf7739178beefe647e7ec757b08367c2a2db6b5bbc0d2982310ef12 http://45.32.132.166/client http://45.32.132.166/sump http://45.32.132.166/zzz_exploit.py http://45.32.132.166/exploit http://45.32.132.166/Alchimist http://45.32.132.166/ltmp http://45.32.132.166/1tmp http://45.32.132.166/nc.zip http://45.32.132.166/msconfig.zip http://45.32.132.166/shell.msi 4837be90842f915e146bf87723e38cc0533732ba1a243462417c13efdb732dcb d94fa98977a9f23b38d6956aa2bf293cf3f44d1d24fd13a8789ab5bf3e95f560 2f4ef5da60db676272ad102ce0ce7d96f63449400e831a2c6861cf3e61846785 43a749766b780004527b34b3816031c204b31e8dea67af0a7a05073ff1811046 21774b77bbf7739178beefe647e7ec757b08367c2a2db6b5bbc0d2982310ef12 56ca5d07fa2e8004a008222a999a97a6c27054b510e8dd6bd22048b084079e37 ed487be94bb2a1bc861d9b2871c71aa56dc87f157d4bf88aff02f0054f9bbd41 ae9f370c89f0191492ed9c17a224d9c41778b47ca2768f732b4de6ee7d0d1459 ef130f1941077ffe383fe90e241620dde771cd0dd496dad29d2048d5fc478faf 0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d c9ec5cc0165d1b84fcb767359cf05c30bd227c1f76fbd5855a1286371c08c320 6861b7490519f3e127f9a6f46c3e41daac6eb4083d3c3e0ccfcb771e9ec3cfba 3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571 a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4 3b37dacfaf4f246105b399aa44700965931d6605b8e609feeb511050fc747a0b 2da9a09a14c52e3f3d8468af24607602cca13bc579af958be9e918d736418660 574467b68ba2c59327d79dfc12e58577d802e25a292af3b3b1e327858a978e4a ec8617cc24edd3d87a5f5b4ae14e2940e493e4cc8e0a7c28e46012481ca58080 b44105e3a480e55ac0d8770074e3af92307d172b050beb7542a1022976f8e5a2 d80fb2c0fb95f79ab7b356b9e3b33a0553e0e5240372620e87e5be445c5586f8 3329dc95c8c3a8e4f527eda15d64d56b3907f231343e97cfe4b29b51d803e270 ca72fa64ed0a9c22d341a557c6e7c1b6a7264b0c4de0b6f717dd44bddf550bca 57e4b180fd559f15b59c43fb3335bd59435d4d76c4676e51a06c6b257ce67fb2
Leave A Comment