Cybersecurity researchers have found that the malware referred to as BLOODALCHEMY utilized in assaults concentrating on authorities organizations in Southern and Southeastern Asia is in truth an up to date model of Deed RAT, which is believed to be a successor to ShadowPad.
“The origin of BLOODALCHEMY and Deed RAT is ShadowPad and given the history of ShadowPad being utilized in numerous APT campaigns, it is crucial to pay special attention to the usage trend of this malware,” Japanese firm ITOCHU Cyber & Intelligence mentioned.
BLOODALCHEMY was first documented by Elastic Safety Labs in October 2023 in reference to a marketing campaign mounted by an intrusion set it tracks as REF5961 concentrating on the Affiliation of Southeast Asian Nations (ASEAN) international locations.
A barebones x86 backdoor written in C, it is injected right into a signed benign course of (“BrDifxapi.exe”) utilizing a method referred to as DLL side-loading, and is able to overwriting the toolset, gathering host info, loading extra payloads, and uninstalling and terminating itself.
“While unconfirmed, the presence of so few effective commands indicates that the malware may be a subfeature of a larger intrusion set or malware package, still in development, or an extremely focused piece of malware for a specific tactical usage,” Elastic researchers famous on the time.
Assault chains deploying have been noticed compromising a upkeep account on a VPN machine to realize preliminary entry to deploy BrDifxapi.exe, which is then used to sideload BrLogAPI.dll, a loader that is liable for executing the BLOODALCHEMY shellcode in reminiscence after extracting it from a file named DIFX.
The malware employs what’s referred to as a run mode that determines its conduct, successfully permitting it to evade evaluation in sandbox environments, arrange persistence, set up contact with a distant server, and management the contaminated host by the applied backdoor instructions.
ITOCHU’s evaluation of BLOODALCHEMY has additionally recognized code similarities with Deed RAT, a multifaceted malware completely utilized by a menace actor referred to as House Pirates and is considered as the following iteration of ShadowPad, which in itself is an evolution of PlugX.
“The first remarkably similar point is the unique data structures of the payload header in both BLOODALCHEMY and Deed RAT,” the corporate mentioned. “Some similarities have been found in the loading process of shellcode, and the DLL file used to read the shellcode as well.”
It is value noting that each PlugX (Korplug) and ShadowPad (aka PoisonPlug) have been extensively utilized by China-nexus hacking teams through the years.
The disclosure comes as a China-linked menace actor referred to as Sharp Dragon (beforehand Sharp Panda) has expanded their concentrating on to incorporate governmental organizations in Africa and the Caribbean as a part of an ongoing cyber espionage marketing campaign.
