Elastic Labs Exposes BLOODALCHEMY Backdoor: ASEAN’s New Threat

Researchers from Elastic Security Labs have unearthed a new backdoor, BLOODALCHEMY, employed in attacks against the nations of the Association of Southeast Asian Nations (ASEAN). The backdoor targets x86 systems and is part of the intrusion set REF5961, utilized by Chinese cybercriminals.

Despite its capabilities, BLOODALCHEMY is considered an incomplete project with limited functionality. It is one of three novel malicious software families discovered in the analysis of REF5961. The backdoor’s primary commands include the creation or overwriting of toolsets, the initiation of binary files, deletion and termination processes, and the collection of host information.

The backdoor replicates itself in a designated folder to ensure persistence on the target machine. Depending on privilege levels, this folder might be one of the following: ProgramFiles, ProgramFiles(x86), Appdata, or LocalAppData\Programs.

BLOODALCHEMY backdoor is part of a broader arsenal of tools related to REF5961, associated with both current and previous attacks. Researchers believe that the operators of REF5961 are linked to China, a theory corroborated by the discovery of malicious software samples in the prior intrusion set REF2924, which targeted ASEAN members.

The three new malicious software families under REF5961 are christened EAGERBEE, RUDEBIRD, and DOWNTOWN. EAGERBEE was deployed in an assault on Mongolia, while RUDEBIRD and DOWNTOWN are connected to Chinese governmental hackers TA428. All these backdoors bear resemblance to BLOODALCHEMY in that they all feature debugging systems—tools typically removed prior to entering the production phase, signifying their active development. After analyzing these tools and their emphasis on data theft, Elastic Security Labs deduced that the operators behind REF5961 and REF2924 are state-sponsored cyber spies.