Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,586
- Points
- 113
New tools allow you to steal confidential intelligence information.
Researchers from Elastic Security Labs have discovered a new BLOODALCHEMY backdoor used in attacks against countries of the Association of Southeast Asian Nations (ASEAN ). The backdoor targets x86 systems and is part of the REF5961 intrusion suite used by Chinese cybercriminals.
BLOODALCHEMY, despite its functionality, is considered an incomplete project with limited features. This is one of three new malware families discovered in the REF5961 analysis. Key backdoor commands include writing or overwriting a set of tools, running a binary file, deleting and shutting down, and collecting host information.
The backdoor copies itself to a special folder to ensure stability on the target machine. Depending on the privilege level, the folder can be one of four: ProgramFiles, ProgramFiles(x86), Appdata, and LocalAppData\Programs.
BLOODALCHEMY is part of REF5961's broader arsenal of tools related to current and previous attacks. Researchers believe that the operators of REF5961 have links to China, as confirmed by the discovery of malware samples in the previous REF2924 intrusion suite used against ASEAN members.
The three new REF5961 malware families are named EAGERBEE, RUDEBIRD, and DOWNTOWN. EAGERBEE was used in the attack on Mongolia, and RUDEBIRD and DOWNTOWN are linked to Chinese government hackers TA428. All backdoors are similar to BLOODALCHEMY in that they all contain debugging systems – tools that are usually removed before entering the production stage, which is proof that their operators are still actively working on them. After analyzing the tools and focusing them on data theft, Elastic Security Labs concluded that the operators REF5961 and REF2924 are state-sponsored cyber spies.
Researchers from Elastic Security Labs have discovered a new BLOODALCHEMY backdoor used in attacks against countries of the Association of Southeast Asian Nations (ASEAN ). The backdoor targets x86 systems and is part of the REF5961 intrusion suite used by Chinese cybercriminals.
BLOODALCHEMY, despite its functionality, is considered an incomplete project with limited features. This is one of three new malware families discovered in the REF5961 analysis. Key backdoor commands include writing or overwriting a set of tools, running a binary file, deleting and shutting down, and collecting host information.
The backdoor copies itself to a special folder to ensure stability on the target machine. Depending on the privilege level, the folder can be one of four: ProgramFiles, ProgramFiles(x86), Appdata, and LocalAppData\Programs.
BLOODALCHEMY is part of REF5961's broader arsenal of tools related to current and previous attacks. Researchers believe that the operators of REF5961 have links to China, as confirmed by the discovery of malware samples in the previous REF2924 intrusion suite used against ASEAN members.
The three new REF5961 malware families are named EAGERBEE, RUDEBIRD, and DOWNTOWN. EAGERBEE was used in the attack on Mongolia, and RUDEBIRD and DOWNTOWN are linked to Chinese government hackers TA428. All backdoors are similar to BLOODALCHEMY in that they all contain debugging systems – tools that are usually removed before entering the production stage, which is proof that their operators are still actively working on them. After analyzing the tools and focusing them on data theft, Elastic Security Labs concluded that the operators REF5961 and REF2924 are state-sponsored cyber spies.
