The Mac Security Blog

Malware

Malware Attack Framework “Alchimist” Designed to Exploit Macs

Posted on by

Researchers recently discovered a new malware attack framework known as Alchimist. Threat actors use Alchimist to infect and remotely control macOS, Linux, and Windows computers. It is likely to have been used in the wild.

Interestingly, Alchimist was discovered alongside a malicious Mac app designed to exploit a known vulnerability (CVE-2021-3034) in Polkit pkexec, a command-line utility that allows an authorized user to execute an app as though they were another user.

The vulnerability—nicknamed PwnKit, a play on the name Polkit—can be exploited to allow an attacker to gain local privilege escalation. This means that the attacker could run commands or malicious software with full administrative rights. The pkexec flaw went undetected for more than twelve years before researchers discovered it in November 2021.

Although the pkexec utility is included by default with every major Linux distribution, Apple doesn’t include it with Mac operating systems. Therefore it isn’t entirely clear why the Alchimist developers designed Mac malware to exploit a vulnerability in a utility that isn’t included with macOS. Perhaps the malware makers hoped to install pkexec and then exploit it on targeted Macs, or perhaps they were targeting someone known to use pkexec on Macs.

How can one remove or prevent Alchimist-related malware?

Intego X9 software boxesIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate malware and exploits associated with the Alchimist framework.

If you believe your Mac may have been infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s upcoming Mac operating system, macOS Ventura.

If you’re a Windows user, Intego Antivirus for Windows can protect your PC from Alchimist-related threats as well.

Is Alchimist known by any other names?

Intego VirusBarrier and Intego Antivirus for Windows detect this malware and related components as backdoor/BDS/Agent.ekgi, OSX/CVE-2021-4034, OSX/OSX.CVE.beswh, OSX/OSX.CVE.ykpzz, trojan/TR/Batch.A, trojan/TR/Redcap.flcv, trojan/TR/Rozena.57446, virus/HTML/ExpKit.Gen, virus/LINUX/Agent.cpde, virus/LINUX/Agent.faqs, virus/LINUX/Agent.F, virus/LINUX/Agent.gzsh, virus/LINUX/Agent.igtr, virus/LINUX/Agent.jktr, virus/LINUX/Agent.jnxv, virus/LINUX/Agent.vzom, and virus/LINUX/Dldr.Agent.csjv.

Other vendors may also use the malware family names Insekt, EternalBlue, or Reshel for various components.

Indicators of compromise (IoCs)

The following SHA-256 hashes belong to known files associated with Alchimist and related malware campaigns:

0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d
21774b77bbf7739178beefe647e7ec757b08367c2a2db6b5bbc0d2982310ef12
2da9a09a14c52e3f3d8468af24607602cca13bc579af958be9e918d736418660
2f4ef5da60db676272ad102ce0ce7d96f63449400e831a2c6861cf3e61846785
3329dc95c8c3a8e4f527eda15d64d56b3907f231343e97cfe4b29b51d803e270
3b37dacfaf4f246105b399aa44700965931d6605b8e609feeb511050fc747a0b
43a749766b780004527b34b3816031c204b31e8dea67af0a7a05073ff1811046
4837be90842f915e146bf87723e38cc0533732ba1a243462417c13efdb732dcb
56ca5d07fa2e8004a008222a999a97a6c27054b510e8dd6bd22048b084079e37
574467b68ba2c59327d79dfc12e58577d802e25a292af3b3b1e327858a978e4a
57e4b180fd559f15b59c43fb3335bd59435d4d76c4676e51a06c6b257ce67fb2
ae9f370c89f0191492ed9c17a224d9c41778b47ca2768f732b4de6ee7d0d1459
b44105e3a480e55ac0d8770074e3af92307d172b050beb7542a1022976f8e5a2
c9ec5cc0165d1b84fcb767359cf05c30bd227c1f76fbd5855a1286371c08c320
ca72fa64ed0a9c22d341a557c6e7c1b6a7264b0c4de0b6f717dd44bddf550bca
d80fb2c0fb95f79ab7b356b9e3b33a0553e0e5240372620e87e5be445c5586f8
d94fa98977a9f23b38d6956aa2bf293cf3f44d1d24fd13a8789ab5bf3e95f560
ec8617cc24edd3d87a5f5b4ae14e2940e493e4cc8e0a7c28e46012481ca58080
ed487be94bb2a1bc861d9b2871c71aa56dc87f157d4bf88aff02f0054f9bbd41
ef130f1941077ffe383fe90e241620dde771cd0dd496dad29d2048d5fc478faf

The following IP addresses appear to have had ties with this malware or related campaigns.

3.86.255[.]88
45.32.132[.]166
95.179.246[.]73
149.28.36[.]160
149.28.54[.]212

Network administrators can check logs to try to identify whether any computers on their network may have attempted to contact one of these IPs, which could indicate a possible infection.

How can I learn more?

For additional technical details about the Alchimist attack framework and its use in recent malware campaigns, you can read the recent write-up by C. Raghuprasad, A. Malhotra, V. Ventura, with M. Thaxton.

We discussed Alchimist briefly on episode 262 of the Intego Mac Podcast. Be sure to follow the podcast to make sure you don’t miss any episodes!

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →