Cybersecurity researchers have uncovered that the BLOODALCHEMY malware, which has been used to target government organizations in Southern and Southeastern Asia, is actually an updated variant of Deed RAT, a successor to ShadowPad.
“The origins of BLOODALCHEMY and Deed RAT trace back to ShadowPad. Given ShadowPad’s extensive use in various APT campaigns, it’s vital to closely monitor the deployment of this malware,” stated ITOCHU Cyber & Intelligence, a Japanese firm.
First documented by Elastic Security Labs in October 2023, BLOODALCHEMY was linked to a campaign by an intrusion set tracked as REF5961, which targets ASEAN countries.
This x86 backdoor, minimalistic and written in C, is injected into a signed benign process (“BrDifxapi.exe”) via DLL side-loading. It can overwrite toolsets, collect host information, load additional payloads, and self-terminate.
“Although unconfirmed, the limited number of commands suggests the malware might be part of a larger intrusion set or malware package still in development, or it could be highly specialized for a specific tactical use,” Elastic researchers noted.
The attack chains often begin with compromising a maintenance account on a VPN device to deploy BrDifxapi.exe, which then sideloads BrLogAPI.dll. This loader executes the BLOODALCHEMY shellcode in memory after extracting it from a file named DIFX.
BLOODALCHEMY employs a run mode to determine its behavior, allowing it to evade sandbox analysis, establish persistence, connect with a remote server, and control the infected host through backdoor commands.
ITOCHU’s analysis found code similarities between BLOODALCHEMY and Deed RAT, a sophisticated malware used by the threat actor known as Space Pirates. Deed RAT is considered the next evolution of ShadowPad, which itself evolved from PlugX.
“The first notable similarity is the unique data structures in the payload header of both BLOODALCHEMY and Deed RAT,” the company explained. “There are also similarities in the shellcode loading process and the DLL file used to read the shellcode.”
PlugX (Korplug) and ShadowPad (PoisonPlug) have been extensively used by Chinese hacking groups over the years.
This revelation comes as the China-linked threat actor known as Sharp Dragon (formerly Sharp Panda) has expanded its targets to include governmental organizations in Africa and the Caribbean as part of an ongoing cyber espionage campaign.
