BLOODALCHEMY Backdoor
Cybersecurity experts have recently discovered a covert access point employed in cyberattacks against governmental bodies and organizations belonging to the Association of Southeast Asian Nations (ASEAN). Termed 'BLOODALCHEMY' by these experts, this clandestine entryway specifically targets x86 systems and is a component of the REF5961 intrusion strategy, recently embraced by a group with apparent connections to China.
An intrusion strategy refers to the amalgamation of recognized tactics, methods, and tools associated with an attack, as well as the broader campaigns these attacks contribute to. Typically, these intrusion strategies are employed by an unidentified solitary attacker. Notably, the toolset associated with REF5961 was also observed in a distinct espionage-focused assault against the government of Mongolia.
Table of Contents
The BLOODALCHEMY Backdoor is Still Under Active Development
BLOODALCHEMY is the fresh backdoor employed by the operators behind REF5961. Despite the involvement of skilled malware developers in its creation, it appears to be a project that is not yet fully matured.
While it functions as a functional malware strain and forms one of the three recently revealed malware families dissected from the REF5961 operations, its capabilities remain somewhat restricted.
Though unverified, the existence of a limited number of effective commands hints at the possibility that this malware could be a component of a larger intrusion strategy or malware suite that is still under development, or it might be an exceedingly specialized piece of malware designed for a specific tactical purpose.
Multiple Persistence Mechanisms Uncovered in the BLOODALCHEMY Backdoor
The researchers identified a limited set of critical commands in the BLOODALCHEMY malware. These commands enabled various functions such as modifying the malware toolset, executing the malware program, uninstalling and terminating it, and collecting host information.
The uninstall command proved particularly revealing as it unveiled the numerous techniques BLOODALCHEMY employed to maintain persistence on the targeted system. This backdoor establishes its persistence by duplicating itself into a designated folder, typically named 'Test.' Within this folder resides the malware binary, labeled 'test.exe.' The choice of the persistence folder depends on the level of privileges granted to BLOODALCHEMY and can be one of four possibilities: ProgramFiles, ProgramFiles(x86), Appdata or LocalAppData\Programs.
Moreover, BLOODALCHEMY exhibited versatility in its persistence mechanisms. Notable features included the implementation of classic data masking through string encryption and additional obfuscation techniques. The malware also operates in various modes based on its configuration, running within the main thread or a separate one, functioning as a service, or injecting a shellcode after initiating a Windows process.
The BLOODALCHEMY Backdoor is Part of a Larger Malware Toolset
BLOODALCHEMY is part of the REF5961 intrusion set, which itself contains three new malware families being used in ongoing attacks. These malware families have since been linked to previous attacks.
Malware samples in REF5961 have also been found in a previous intrusion set, REF2924, which is believed to be used in attacks on ASEAN members, including the Mongolian Ministry of Foreign Affairs. The three new malware families of REF5961 have been called EAGERBEE, RUDEBIRD, and DOWNTOWN.
Common victimology, tooling, and execution flows observed in multiple campaigns against ASEAN members have led researchers to believe the operators of REF5961 are China-aligned.
