Japanese Experts Warn of BLOODALCHEMY Malware Targeting Government Agencies

Researchers have recently made a significant revelation regarding the BLOODALCHEMY malware, which has been employed in targeted attacks against government organizations in Southern and Southeastern Asia. These researchers found that BLOODALCHEMY is an updated iteration of Deed RAT, considered a successor to ShadowPad—a widely recognized tool utilized in APT campaigns.

ITOCHU Cyber & Intelligence, a Japanese company, emphasized the crucial importance of closely monitoring the trend of this malware. This emphasis stems from ShadowPad's extensive history in numerous APT campaigns, indicating that understanding its evolution is paramount to cybersecurity efforts. BLOODALCHEMY, initially documented by Elastic Security Labs in October 2023, is classified as a basic x86 backdoor. It is injected into a signed benign process using a technique called DLL side-loading. Once injected, BLOODALCHEMY showcases several capabilities, including overwriting system tools, collecting host information, loading additional malicious payloads, and implementing self-uninstallation procedures as needed.

Upon analyzing Bloodalchemy, researchers observed that it operates with a limited set of commands. This limited functionality suggests that BLOODALCHEMY may be a subcomponent of a larger malware package still in development or tailored for specific targeted attacks. The attack chains associated with Bloodalchemyhave been observed compromising maintenance accounts on VPN devices to gain initial access. Subsequently, attackers deploy BrDifxapi.exe to sideload BrLogAPI.dll, a loader responsible for executing Bloodalchemy's shellcode in memory after extracting it from a file named DIFX.

Security Officer Comments:
Notably, Bloodalchemy features a run mode capability, enabling dynamic behavior alterations. This capability allows the malware to evade detection in sandbox environments, establish persistence on infected systems, communicate with remote servers, and execute backdoor commands to control compromised hosts. ITOCHU Cyber & Intelligence's analysis uncovered notable code similarities between BLOODALCHEMY and Deed RAT, which is a multifaceted malware exclusively used by a threat actor known as Space Pirates. This actor is also linked to the evolution of ShadowPad, itself an advancement from the well-known PlugX malware.

Suggested Corrections:
To mitigate the risks associated with Bloodalchemy and similar malware threats, organizations should implement a multi-layered approach to security. This includes deploying robust antivirus and anti-malware solutions capable of detecting and blocking RATs. Regularly updating security software ensures protection against evolving threats.