BloodAlchemy is a backdoor shellcode loaded into a signed benign process and linked to the REF5961 intrusion set. Elastic Security notes its active development, multiple loading and persistence modes, and a flexible C2/communication design. Hashtags: #BloodAlchemy #REF5961 #BrLogAPI #BrDifxapi #BrotherIndustries #DLLSideLoading
Keypoints
- The BLOODALCHEMY backdoor is shellcode that relies on a loader and is injected via a signed binary context.
- Initial execution uses DLL side-loading into a benign executable (BrDifxapi.exe) with a sideloaded loader (BrLogAPI.dll).
- The malware supports multiple persistence methods (service, registry Run key, scheduled task, COM interfaces).
- Code obfuscation and configuration string encryption are used to hide strings and config data.
- Running modes include in-process, separate-thread execution, and process injection into target binaries.
- Communications can use HTTP, DNS, SMB, SOCKS, and other protocols, often with encrypted or encoded payloads.
- Commands include overwriting the toolset, launching Test.exe, uninstalling, and gathering host information.
MITRE Techniques
- [T1218] Signed Binary Proxy Execution – The adversary used a signed benign process to load a malicious loader via DLL side-loading. Quote: “the adversary deployed a benign utility BrDifxapi.exe … side-load the unsigned BLOODALCHEMY loader (BrLogAPI.dll) and inject shellcode into the current process.”
- [T1574.001] Hijack Execution Flow – DLL Search Order Hijacking – BLOODALCHEMY loads via DLL side-loading into a legitimate process (BrDifxapi.exe) using BrLogAPI.dll. Quote: “side-load the unsigned BLOODALCHEMY loader (BrLogAPI.dll) and inject shellcode into the current process.”
- [T1055] Process Injection – The malware injects shellcode into the current or target process using WriteProcessMemory/QueueUserAPC/ResumeThread. Quote: “inject shellcode into the current process.”
- [T1547.001] Registry Run Keys/Startup Folder – Persistence via the CurrentVersionRun registry key to bootstrap BLOODALCHEMY. Quote: “CurrentVersionRun” and persistence context.
- [T1053.005] Scheduled Task – Persistence via schtasks.exe running with SYSTEM privileges and TaskScheduler COM interface. Quote: “As a scheduled task, running with SYSTEM privilege via schtasks.exe” and “TaskScheduler::ITaskService.”
- [T1543.003] Windows Service – Persistence by installing as a service (e.g., Test / Digital Imaging System). Quote: “As a service named Test and Digital Imaging System.”
- [T1071.001] Web Protocols – Communications over HTTP/S with a specific C2 URI. Quote: “The malware communicates using HTTP protocol” and “URI used to connect to C2.”
- [T1090] Proxy – Proxy usage via registry-provided proxy settings. Quote: “will try to use any proxy server found in the registry key SOFTWAREMicrosoftWindowsCurrentVersionInternet Settings.”
- [T1071.002] DNS – The malware also uses DNS-based or other domain/name-based channels as part of its protocol set. Quote: “DNS://” protocol is listed among the usable protocols.”
- [T1027] Obfuscated/Compressed Files and Information – Strings and configuration are encrypted/obfuscated within the blob. Quote: “strings are encrypted” and “Blob = Key0:EncryptedString0 + …”
Indicators of Compromise
- [SHA-256] BrLogAPI.dll – e14ee3e2ce0010110c409f119d56f6151fdca64e20d902412db46406ed89009a – BLOODALCHEMY loader
- [SHA-256] BLOODALCHEMY payload – 25268bc07b64d0d1df441eb6f4b40dc44a6af568be0657533088d3bfd2a05455 – BLOODALCHEMY payload
- [File name] BrLogAPI.dll – BrLogAPI.dll used as the sideloaded loader in the BLOODALCHEMY toolset
- [File name] BrDifxapi.exe – BrDifxapi.exe used as the vulnerable/benign loader that side-loads the unsigned loader
- [URL] https://malwa[.]re/Inform/logger – C2-like endpoint URI referenced in the communication description
Read more: https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor