Malware Masquerades as Antivirus Websites Targeting Windows and Android Users – Active IOCs
May 28, 2024WordPress Plugin Exploited for Credit Card Info Theft from Online Stores
May 28, 2024Malware Masquerades as Antivirus Websites Targeting Windows and Android Users – Active IOCs
May 28, 2024WordPress Plugin Exploited for Credit Card Info Theft from Online Stores
May 28, 2024Severity
High
Analysis Summary
Recent research has identified the malware BLOODALCHEMY used in attacks against government organizations in Southern and Southeastern Asia as an updated version of Deed RAT, which is itself a successor to ShadowPad.
ShadowPad known for its extensive use in numerous advanced persistent threat (APT) campaigns has a well-documented history that demands close monitoring of BLOODALCHEMY's usage. The malware was first documented in October 2023 and linked to the intrusion set REF5961 targeting ASEAN countries.
BLOODALCHEMY is a simplistic x86 backdoor written in C and injected into a signed benign process ("BrDifxapi.exe") via DLL side-loading. This malware can overwrite its toolset, gather host information, load additional payloads, and self-uninstall or terminate. The limited number of effective commands suggests it might be a component of a larger malware package under development or tailored for specific tactical usage. Researchers have noted these observations based on their documentation.
The attack chain for BLOODALCHEMY typically begins with compromising a maintenance account on a VPN device to deploy "BrDifxapi.exe." This executable sideloads "BrLogAPI.dll," a loader that executes the BLOODALCHEMY shellcode in memory after extracting it from a file named DIFX. The malware's run mode determines its behavior enabling it to evade sandbox analysis establish persistence, contact a remote server, and control the infected host through its backdoor commands.
The analysis has revealed code similarities between BLOODALCHEMY and Deed RAT, particularly in the unique data structures of their payload headers and their shellcode loading processes. This indicates that BLOODALCHEMY is an evolved form of Deed RAT, which itself is an iteration of ShadowPad. The multifaceted nature of Deed RAT used exclusively by the Space Pirates threat actor, underscores its evolution from earlier malware like PlugX.
PlugX (Korplug) and ShadowPad (PoisonPlug) have long been used by China-nexus threat groups. Leaks from Chinese state contractors highlighted that these overlaps in tools and tactics among Chinese threat groups result from centralized support structures. These "digital quartermasters" manage a shared pool of tools and techniques supporting multiple campaigns and revealing the coordinated nature of these malicious activities.
This disclosure comes amid a broader context of China-linked cyber espionage activities. A threat actor known as Sharp Dragon, previously identified as Sharp Panda, has expanded its operations to include governmental targets in Africa and the Caribbean. This expansion is part of ongoing efforts to leverage cyber espionage against diverse global targets, reflecting the dynamic and persistent nature of these cyber threats.
Impact
- Cyber Espionage
- Sensitive Data Theft
- Unauthorized Remote Access
- Command Execution
Remediation
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Patch and upgrade any platforms and software timely and make it into a standard security policy.
- Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
- Implement network segmentation to limit lateral movement for attackers within the network.
- Implement advanced email filtering to detect and block phishing emails.
- Employ updated and robust endpoint protection solutions to detect and block malware.
- Develop and test an incident response plan to ensure a swift and effective response to security incidents.
- Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
- Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
- Regularly back up critical data and ensure that backup and recovery procedures are in place.