Threat Research

Malware Transmutation! – Unveiling the Hidden Traces of BloodAlchemy – Researcher Blog – ITOCHU Cyber & Intelligence Inc.

Cyware

BloodAlchemy is an evolved variant of Deed RAT with roots tracing back to ShadowPad and has appeared in APT-style campaigns. The analysis shows it uses legitimate binaries for DLL loading, multiple run modes, encrypted configuration, and robust persistence and anti-sandbox techniques, indicating active development of the lineage. Hashtags: #BloodAlchemy #DeedRAT #ShadowPad #SpacePirates #APT41 #NetSarang

Keypoints

  • BloodAlchemy is not a brand-new malware; it is an evolved variant of Deed RAT, which itself is linked to ShadowPad.
  • ShadowPad has a history in APT campaigns, first seen in a July 2017 software supply-chain attack involving NetSarang, with broader use by multiple APT groups since 2020.
  • Infection flow involves hijacking a vendor-use-only maintenance account on a VPN device and delivering a three-file set (BrDifxapi.exe, BrLogAPI.dll, DIFX) with a persistence mechanism via a scheduled task.
  • BloodAlchemy uses DLL side-loading to load BrLogAPI.dll and decrypts shellcode from a DIFX-provided payload, employing AES-128 (CBC) with the key drawn from the DIFX data.
  • The shellcode contains an encrypted, compressed BloodAlchemy payload in a unique data format and supports multiple run modes that control C2, process injection, anti-debugging/sandboxing, and persistence.
  • A malware configuration container stores critical run-mode, C2, and injection targets in encrypted form, with decryption performed by a custom algorithm; configuration data may be loaded from a 15-character file in C:ProgramDataStore.
  • BloodAlchemy includes anti-sandbox capabilities, process injection via QueueUserAPC into specific Windows processes, and a versatile C2 mechanism using Virtual Function Tables to manage up to 10 potential protocols/destinations.

MITRE Techniques

  • [T1078] Valid Accounts – The attacker used a vendor-use-only maintenance account on a VPN device to deliver BloodAlchemy. [Quote: ‘the attacker used a file set to infect targets with BloodAlchemy by taking over a vender-use-only maintenance account on a VPN device.’]
  • [T1574] Hijacking – DLL Side-Loading – BloodAlchemy loads BrLogAPI.dll via DLL side-loading in the same directory. [Quote: ‘leverages the DLL side-loading technique to load a malicious DLL file called BrLogAPI.dll in the same directory.’]
  • [T1055] Process Injection – The payload injects into target processes using QueueUserAPC. [Quote: ‘The process injection feature was implemented with following conditions… it attempts to inject the previous shellcode into the following processes…’]
  • [T1053] Scheduled Task/Job – A scheduled task is created for persistence (C:WindowsSystem32TasksDellBrDifxapi). [Quote: ‘a scheduled task (C:WindowsSystem32TasksDellBrDifxapi) was created for persistence.’]
  • [T1543] Create/Modify Windows Service – Persistence via services/startup; multiple persistence methods are selected based on configuration. [Quote: ‘persistence method will be chosen based on the value of the persistence_flag from 1 to 4.’]
  • [T1497] Virtualization/Sandbox Evasion – Anti-sandbox capabilities to evade analysis in sandbox environments. [Quote: ‘The payload also has anti-sandbox capabilities to evade analysis in sandbox environments.’]
  • [T1027] Obfuscated/Compressed Files and Information – Shellcode and malware data are encrypted/compressed; AES-128 CBC with a key from the DIFX file; custom decryption. [Quote: ‘The crypto algorithm is AES128 (CBC mode), and the key is the first 16 bytes of the DIFX file.’]
  • [T1071] Application Layer Protocol – BloodAlchemy communicates with a C2 server and uses protocol-specific handling via VFTs; designed for up to 10 C2 destinations, with protocol-specific imports. [Quote: ‘The BloodAlchemy was designed for up to 10 C2 destinations… only one C2 information was in there.’]

Indicators of Compromise

  • [File] BrDifxapi.exe, BrLogAPI.dll, and DIFX – Malicious components identified in C:Windows.
    Example: BrDifxapi.exe, BrLogAPI.dll, and DIFX (three-file set).
  • [Directory] C:Windows and C:ProgramDataStore – Directories involved in infection flow and malware configuration storage.
  • [Process] SearchIndexer.exe, wininit.exe, taskhost.exe, svchost.exe – Processes targeted for injection or used in execution flow.
  • [File/Path] C:WindowsSystem32TasksDellBrDifxapi – Persistence via scheduled task (DellBrDifxapi).
  • [Registry/Config] Encrypted malware configuration and offsets for encrypted data (stored within run-time configuration and 15-character file name in C:ProgramDataStore).
  • [Mutex] MUTEX-like value used to coordinate or identify malware instances within configuration data.

Read more: https://blog-en.itochuci.co.jp/entry/2024/05/23/090000

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint