How is the new malware related to the already proven ShadowPad and Deed RAT?
New cyber threats often result from the evolution and modification of existing malware. A recent study revealed that the fresh BLOODALCHEMY malware used in attacks on government organizations in South and Southeast Asia is closely related to such well-known threats as Deed RAT, ShadowPad, and PlugX.
"The origin of BLOODALCHEMY and Deed RAT is related to ShadowPad, and given the history of using ShadowPad in numerous APT campaigns, it is extremely important to pay special attention to the trends in the use of this malware," noted the Japanese information security company ITOCHU Cyber. & Intelligence.
The BLOODALCHEMY malware was first documented by researchers at Elastic Security Labs in October 2023, when they studied a malicious company targeting countries of the Association of Southeast Asian Nations (ASEAN). This malicious tool, which is a backdoor written in C, is embedded in a signed harmless process "BrDifxapi.exe" using the Sideloading technique for loading malicious DLLs.
"Although this is not confirmed, the presence of such a small number of built-in commands indicates that this malware may only be part of a larger set of tools or is still simply under development. Or it really is such a narrowly focused tool for specific tactical purposes," the researchers from Elastic noted in their report last year.
Attacks using BLOODALCHEMY involve compromising the account on the VPN device for initial access and downloading "BrDifxapi.exe", which is used for uploading "BrLogAPI.dll". This loader is responsible for executing the BLOODALCHEMY code in memory after extracting it from a file called "DIFX".
The malware uses a special mode of operation that allows you to avoid analysis in sandboxes, maintain consistency in the system, establish contact with the attackers server, and monitor the infected device via remote commands.
As noted earlier, ITOCHU's analysis revealed similarities between the BLOODALCHEMY code and Deed RAT, a multi-functional malware previously used by the Space Pirates hacker group. Deed RAT is considered as the next iteration of ShadowPad, which, in addition, is itself a development of PlugX.
"The first noticeable similarity is the unique payload header data structures in BLOODALCHEMY and Deed RAT," ITOCHU explained. "We also found similarities in the code loading process and the DLL file used to read it."
It is worth noting that both PlugX (Korplug) and ShadowPad (PoisonPlug) have been widely used by Chinese hacker groups for many years.
The data comes as the Chinese hacking group Sharp Panda (also known as Sharp Dragon) has expanded its operations to target government organizations in Africa and the Caribbean as part of an ongoing cyber-espionage campaign.
New cyber threats often result from the evolution and modification of existing malware. A recent study revealed that the fresh BLOODALCHEMY malware used in attacks on government organizations in South and Southeast Asia is closely related to such well-known threats as Deed RAT, ShadowPad, and PlugX.
"The origin of BLOODALCHEMY and Deed RAT is related to ShadowPad, and given the history of using ShadowPad in numerous APT campaigns, it is extremely important to pay special attention to the trends in the use of this malware," noted the Japanese information security company ITOCHU Cyber. & Intelligence.
The BLOODALCHEMY malware was first documented by researchers at Elastic Security Labs in October 2023, when they studied a malicious company targeting countries of the Association of Southeast Asian Nations (ASEAN). This malicious tool, which is a backdoor written in C, is embedded in a signed harmless process "BrDifxapi.exe" using the Sideloading technique for loading malicious DLLs.
"Although this is not confirmed, the presence of such a small number of built-in commands indicates that this malware may only be part of a larger set of tools or is still simply under development. Or it really is such a narrowly focused tool for specific tactical purposes," the researchers from Elastic noted in their report last year.
Attacks using BLOODALCHEMY involve compromising the account on the VPN device for initial access and downloading "BrDifxapi.exe", which is used for uploading "BrLogAPI.dll". This loader is responsible for executing the BLOODALCHEMY code in memory after extracting it from a file called "DIFX".
The malware uses a special mode of operation that allows you to avoid analysis in sandboxes, maintain consistency in the system, establish contact with the attackers server, and monitor the infected device via remote commands.
As noted earlier, ITOCHU's analysis revealed similarities between the BLOODALCHEMY code and Deed RAT, a multi-functional malware previously used by the Space Pirates hacker group. Deed RAT is considered as the next iteration of ShadowPad, which, in addition, is itself a development of PlugX.
"The first noticeable similarity is the unique payload header data structures in BLOODALCHEMY and Deed RAT," ITOCHU explained. "We also found similarities in the code loading process and the DLL file used to read it."
It is worth noting that both PlugX (Korplug) and ShadowPad (PoisonPlug) have been widely used by Chinese hacker groups for many years.
The data comes as the Chinese hacking group Sharp Panda (also known as Sharp Dragon) has expanded its operations to target government organizations in Africa and the Caribbean as part of an ongoing cyber-espionage campaign.
