The attack chain for BLOODALCHEMY typically begins with compromising a maintenance account on a VPN device to deploy "BrDifxapi.exe." This executable sideloads "BrLogAPI.dll," a loader that executes the BLOODALCHEMY shellcode in memory after extracting it from a file named DIFX. The malware's run mode determines its behavior enabling it to evade sandbox analysis establish persistence, contact a remote server, and control the infected host through its backdoor commands.

The analysis has revealed code similarities between BLOODALCHEMY and Deed RAT, particularly in the unique data structures of their payload headers and their shellcode loading processes. This indicates that BLOODALCHEMY is an evolved form of Deed RAT, which itself is an iteration of ShadowPad. The multifaceted nature of Deed RAT used exclusively by the Space Pirates threat actor, underscores its evolution from earlier malware like PlugX.

PlugX (Korplug) and ShadowPad (PoisonPlug) have long been used by China-nexus threat groups. Leaks from Chinese state contractors highlighted that these overlaps in tools and tactics among Chinese threat groups result from centralized support structures. These "digital quartermasters" manage a shared pool of tools and techniques supporting multiple campaigns and revealing the coordinated nature of these malicious activities.

This disclosure comes amid a broader context of China-linked cyber espionage activities. A threat actor known as Sharp Dragon, previously identified as Sharp Panda, has expanded its operations to include governmental targets in Africa and the Caribbean. This expansion is part of ongoing efforts to leverage cyber espionage against diverse global targets, reflecting the dynamic and persistent nature of these cyber threats.

Impact

• Cyber Espionage
• Sensitive Data Theft
• Unauthorized Remote Access
• Command Execution

Remediation

• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software timely and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.