Related Families: ShadowPad, Deed RAT
Verticals Targeted: Government
Executive Summary
BloodAlchemy backdoor was observed targeting government entities in Southern and Southeast Asia.
Key Takeaways
- BloodAlchemy backdoor was observed targeting government entities in Southern and Southeast Asia.
- BloodAlchemy, which appears to still be under active development, is an evolved version of Deed RAT, which was the successor to ShadowPad.
- While BloodAlchemy has not been definitively attributed to a particular threat actor, Vapor Panda may be responsible for this activity.
What is BloodAlchemy?
BloodAlchemy was observed targeting government entities in Southern and Southeast Asia. ITOCHU recently reported on BloodAlchemy.
BloodAlchemy was first seen in the wild in May 2023 and was used in an attack on government entities in Asia. BloodAlchemy is an x86 backdoor written in C. It is not a novel malware but appears to be an evolved version of Deed RAT, which was the successor to ShadowPad.
ShadowPad was first seen in the wild in July 2017. Originally used by the threat actor group Wicked Panda, ShadowPad was later used by multiple China nexus threat actor groups. Deed RAT, which was used by the Space Pirates threat actor group to target Russian aerospace entities in 2022, was an evolution of ShadowPad.
BloodAlchemy, which appears to still be under active development, has several traits that exhibit similarities with Deed RAT. According to ITOCHU, these include using legitimate binaries to load malicious DLLs, multiple run modes, persistence mechanisms, and importing specific functions of various communication protocols when communicating with the C2.
The initial infection vector for BloodAlchemy appears to involve infecting targets by taking over a vendor-use maintenance account on a VPN. The file set used in the attack includes three files, BrDifxapi.exe, BrLogAPI.dll, and DIFX. These files are stored in the C:\windows\ directory, and a scheduled task is created to maintain persistence.
When the .exe is executed, it uses DLL sideloading to load the malicious DLL file. The DLL file, in turn, loads DIFX, decrypting the shellcode from it and executing it in memory. This decrypted shellcode holds an encrypted and compressed BloodAlchemy payload. It is interesting to note that the decryption process for the payload is based on the FNV-1a hash algorithm and the lznt1 compression algorithm.
ITOCHU notes that BloodAlchemy contains several features not commonly found in other malware families. One of these features is a “run mode” value. Each mode has a different behavior.
BloodAlchemy’s functionality includes persistence, anti-sandboxing capabilities, process injection, creation of virtual function tables (VFTs) associated with each communication protocol used, and 15 backdoor commands. BloodAlchemy can also load additional payloads, gather host information, and terminate and uninstall itself.
ITOCHU researchers did not definitively attribute BloodAlchemy to a particular threat actor. However, they noted they suspect Vapor Panda may be responsible for this activity.
IOCs
PolySwarm has a sample of BloodAlchemy.
1b26db32651074ec40606d94811353b358eec4127efad8a5576e2e19134a0a6d
You can use the following CLI command to search for all BloodAlchemy samples in our portal:
$ polyswarm link list -f BloodAlchemy
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
