Researchers from Elastic Security Labs have discovered a new backdoor called Bloodalchemy that is being used in attacks against countries in the Association of Southeast Asian States (ASEAN). The backdoor is specifically targeting X86 systems and is part of the Ref5961 intrusion set used by Chinese cybercriminals.
Bloodalchemy is still considered an incomplete project with some limitations. It is one of three newly discovered malware families found during the analysis of Ref5961. The key functions of the backdoor include recording and rewriting the instrument set, launching a binary file, deleting itself, and collecting information about the host.
To ensure stability in the target machine, the backdoor copies itself into a special folder. Depending on the level of privileges, the folder can be one of four: Programfiles, Programfiles (X86), Appdata, or Localappdata Programs.
Bloodalchemy is part of a larger arsenal of tools used in Ref5961 attacks, which are believed to be connected to China. This is supported by the fact that malware samples from the previous set of intrusions, Ref2924, were also used against ASEAN members.
In addition to Bloodalchemy, the other two new families found in Ref5961 are Eagerbee, used in attacks on Mongolia, and Rudebird and Downtown, associated with TA428 Chinese government hackers. All of these backdoors, including Bloodalchemy, still have debugging systems present, indicating that their operators are actively developing them. Elastic Security Labs conclude that the operators behind both Ref5961 and Ref2924 are state-sponsored cyber spies based on their analysis of the tools and their focus on data theft.