{"id":96364,"date":"2022-10-20T12:13:32","date_gmt":"2022-10-20T19:13:32","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=96364"},"modified":"2022-10-23T22:44:21","modified_gmt":"2022-10-24T05:44:21","slug":"malware-attack-framework-alchimist-designed-to-exploit-macs","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/malware-attack-framework-alchimist-designed-to-exploit-macs\/","title":{"rendered":"Malware Attack Framework “Alchimist” Designed to Exploit Macs"},"content":{"rendered":"

\"\"<\/p>\n

Researchers recently discovered a new malware attack framework known as Alchimist. Threat actors use Alchimist to infect and remotely control macOS, Linux, and Windows computers. It is likely to have been used in the wild.<\/strong><\/p>\n

Interestingly, Alchimist was discovered alongside a malicious Mac app designed to exploit a known vulnerability (CVE-2021-3034<\/a>) in Polkit pkexec, a command-line utility that allows an authorized user to execute an app as though they were another user.<\/p>\n

The vulnerability\u2014nicknamed PwnKit, a play on the name Polkit\u2014can be exploited to allow an attacker to gain local privilege escalation. This means that the attacker could run commands or malicious software with full administrative rights. The pkexec flaw went undetected for more than twelve years before researchers discovered it in November 2021.<\/p>\n

Although the pkexec utility is included by default with every major Linux distribution, Apple doesn’t include it with Mac operating systems. Therefore it isn’t entirely clear why the Alchimist developers designed Mac malware to exploit a vulnerability in a utility that isn’t included with macOS. Perhaps the malware makers hoped to install pkexec and then exploit it on targeted Macs, or perhaps they were targeting someone known to use pkexec on Macs.<\/p>\n

How can one remove or prevent Alchimist-related malware?<\/h3>\n

\"IntegoIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9<\/a><\/strong>, can protect against, detect, and eliminate malware and exploits associated with the Alchimist framework.<\/p>\n

If you believe your Mac may have been infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier\u00a0is award-winning antivirus software, designed by Mac security experts, that includes real-time protection<\/a>. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s upcoming Mac operating system, macOS Ventura.<\/p>\n

If you’re a Windows user, Intego Antivirus for Windows<\/strong><\/a> can protect your PC from Alchimist-related threats as well.<\/a><\/p>\n

Is Alchimist known by any other names?<\/h3>\n

Intego VirusBarrier<\/a> and Intego Antivirus for Windows<\/a> detect this malware and related components as backdoor\/BDS\/Agent.ekgi, OSX\/CVE-2021-4034, OSX\/OSX.CVE.beswh, OSX\/OSX.CVE.ykpzz, trojan\/TR\/Batch.A, trojan\/TR\/Redcap.flcv, trojan\/TR\/Rozena.57446, virus\/HTML\/ExpKit.Gen, virus\/LINUX\/Agent.cpde, virus\/LINUX\/Agent.faqs, virus\/LINUX\/Agent.F, virus\/LINUX\/Agent.gzsh, virus\/LINUX\/Agent.igtr, virus\/LINUX\/Agent.jktr, virus\/LINUX\/Agent.jnxv, virus\/LINUX\/Agent.vzom, and virus\/LINUX\/Dldr.Agent.csjv.<\/p>\n

Other vendors may also use the malware family names Insekt, EternalBlue, or Reshel for various components.<\/p>\n

Indicators of compromise (IoCs)<\/h3>\n

The following SHA-256 hashes belong to known files associated with Alchimist and related malware campaigns:<\/p>\n

0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d\r\n21774b77bbf7739178beefe647e7ec757b08367c2a2db6b5bbc0d2982310ef12\r\n2da9a09a14c52e3f3d8468af24607602cca13bc579af958be9e918d736418660\r\n2f4ef5da60db676272ad102ce0ce7d96f63449400e831a2c6861cf3e61846785\r\n3329dc95c8c3a8e4f527eda15d64d56b3907f231343e97cfe4b29b51d803e270\r\n3b37dacfaf4f246105b399aa44700965931d6605b8e609feeb511050fc747a0b\r\n43a749766b780004527b34b3816031c204b31e8dea67af0a7a05073ff1811046\r\n4837be90842f915e146bf87723e38cc0533732ba1a243462417c13efdb732dcb\r\n56ca5d07fa2e8004a008222a999a97a6c27054b510e8dd6bd22048b084079e37\r\n574467b68ba2c59327d79dfc12e58577d802e25a292af3b3b1e327858a978e4a\r\n57e4b180fd559f15b59c43fb3335bd59435d4d76c4676e51a06c6b257ce67fb2\r\nae9f370c89f0191492ed9c17a224d9c41778b47ca2768f732b4de6ee7d0d1459\r\nb44105e3a480e55ac0d8770074e3af92307d172b050beb7542a1022976f8e5a2\r\nc9ec5cc0165d1b84fcb767359cf05c30bd227c1f76fbd5855a1286371c08c320\r\nca72fa64ed0a9c22d341a557c6e7c1b6a7264b0c4de0b6f717dd44bddf550bca\r\nd80fb2c0fb95f79ab7b356b9e3b33a0553e0e5240372620e87e5be445c5586f8\r\nd94fa98977a9f23b38d6956aa2bf293cf3f44d1d24fd13a8789ab5bf3e95f560\r\nec8617cc24edd3d87a5f5b4ae14e2940e493e4cc8e0a7c28e46012481ca58080\r\ned487be94bb2a1bc861d9b2871c71aa56dc87f157d4bf88aff02f0054f9bbd41\r\nef130f1941077ffe383fe90e241620dde771cd0dd496dad29d2048d5fc478faf<\/pre>\n
The following IP addresses appear to have had ties with this malware or related campaigns.<\/p>\n
3.86.255[.]88\r\n45.32.132[.]166\r\n95.179.246[.]73\r\n149.28.36[.]160\r\n149.28.54[.]212\r\n<\/pre>\n
Network administrators can check logs to try to identify whether any computers on their network may have attempted to contact one of these IPs, which could indicate a possible infection.<\/a><\/p>\n
How can I learn more?<\/h3>\n
For additional technical details about the Alchimist attack framework and its use in recent malware campaigns, you can read the recent write-up by C. Raghuprasad, A. Malhotra, V. Ventura, with M. Thaxton<\/a>.<\/p>\n
We discussed Alchimist briefly on episode 262<\/a>\u00a0of the Intego Mac Podcast<\/strong><\/a>. Be sure to follow the podcast<\/a> to make sure you don\u2019t miss any episodes!<\/p>\n