New Alchimist Attack Framework Hits Windows, Linux and Mac

upstart writes:

The attack framework of probable Chinese origin used by cybercriminals has been discovered:

A standalone Command and Control (C2) server called "Alchimist" was recently discovered by Cisco Talos. The framework has been designed to run attacks via standalone GoLang-based executables that can be distributed easily. The framework found by Talos contains both the whole web user interface and the payloads.

[...] Alchimist, whose name has been given by its developer, uses GoLang-based assets, which are custom-made embedded packages, to store all the resources needed for its operations as a C2 server. During initialization, all its content is placed in hard coded folders, namely /tmp/Res for the web interface, HTML files and more folders, and /tmp/Res/Payload for its payloads for Windows and Linux operating systems.

A self-signed certificate without any server name is also dropped in the /tmp folder (Figure A), together with its key for use in HTTPS communications. That certificate could be found on five different IP addresses on the Internet at the time of the research, all of them used for Alchimist.

[...] Most common features expected to handle Remote Administration Tool (RAT) malware are implemented in the interface, yet one stands out according to the researchers: The ability to generate PowerShell and wget code snippets for Windows and Linux systems. These commands might be embedded in malicious documents, LNK files or any other kind of files used for initial compromise, and download/install the additional payload provided by the framework: the Insekt RAT.

Read more of this story at SoylentNews.