Hello and welcome to the Friday, October 14, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Riyadh, Saudi Arabia.

Cisco's Talas research team published a blog post today describing a new attack framework that they're calling

Alchemist and Insect. Alchemist is the command control server implementing a web-based

interface to control systems infected by the insect implant. Alchemist is implemented as a simple single file and executable. This, of course,

makes it kind of easy to install on random compromised web servers that the attacker may be using

as part of their command control infrastructure. It does run on Windows and Linux and TELUS states that the overall

design is reminiscent of Manjuska, if I pronounce this correctly, a command control framework

that TALIS discovered a short while ago. As a victim connects to the Alchemist Command Control

server, the insect payload is then generated on the fly. There is sort of a template that's

present on the server and it hot patches than some customized configuration parameters

for the particular victim connecting.

TALIS lists more details and tips on detections in its blog post,

and of course there are already some snort rules available for that.

The Alchemist command control server has been seen, as I said, on Windows and Linux, but the insect implant does

also work on Mac OS.

VM2 is a JavaScript sandbox meant to isolate untrusted code.

Always something difficult to get right.

The sandbox is not only very popular.

It has 16 million downloads a month, but it also suffered from a vulnerability that, well,

allowed malicious code to escape the sandbox, which then, of course, could lead to arbitrary

code execution on the host running any software that depends on the VM2 sandbox.

...