Disclosing the BLOODALCHEMY backdoor — Elastic Safety Labs
Preamble
BLOODALCHEMY is an x86 backdoor written in C and located as shellcode injected right into a signed benign course of. It was found in our evaluation and is a part of the REF5961 intrusion set, which you’ll examine here.
BLOODALCHEMY requires a particular loader to be run as a result of it is not reflexive (it doesn’t have the aptitude to load and execute by itself). Moreover, BLOODALCHEMY isn’t compiled as place impartial (when loaded at a unique base tackle than the popular one the binary must be patched to take note of the brand new “place”).
In our evaluation, the signed benign course of was beforehand sideloaded with a malicious DLL. The DLL was lacking from the pattern knowledge however was doubtless the container and the loader of the BLOODALCHEMY shellcode.
We imagine from our analysis that the malware is a part of an even bigger toolset and continues to be in energetic improvement primarily based on its present lack of capabilities, enabled debug logging of exceptions, and the existence of take a look at strings used for persistence service setup.
Key takeaways
- BLOODALCHEMY is probably going a brand new backdoor and continues to be in energetic improvement
- BLOODALCHEMY abuses a official binary for loading
- BLOODALCHEMY has a number of working modes, persistence mechanisms, and communication choices
Preliminary execution
Throughout the preliminary execution part, the adversary deployed a benign utility, BrDifxapi.exe
, which is weak to DLL side-loading. When deploying this weak utility the adversary may side-load the unsigned BLOODALCHEMY loader (BrLogAPI.dll
) and inject shellcode into the present course of.
Command-line used to execute the BLOODALCHEMY loader
Faux BrLogApi.dll, a part of BLOODALCHEMY toolset, sideloaded by BrDifxapi.exe
BrDifxapi.exe
is a binary developed by the Japanese firm Brother Industries and the model we noticed has a revoked signature.
BrDifxapi.exe with revoked signature
The official DLL named BrLogApi.dll
is an unsigned DLL additionally by Brother Industries. BLOODALCHEMY makes use of the identical DLL title.
The official BrLogApi.dll is an unsigned DLL file
Code evaluation
Information Obfuscation
To cover its strings the BLOODALCHEMY malware makes use of a basic approach the place every string is encrypted, preceded by a single-byte decryption key, and eventually, all concatenated collectively to kind what we name an encrypted blob.
Whereas the strings aren’t null-terminated, the offset from the start of the blob, the string, and the scale are handed as a parameter to the decryption operate. Right here is the encrypted blob format:
Blob = Key0 :EncryptedString0 + Key1:EncryptedString1 + … + KeyN:EncryptedStringN
The implementation in Python of the string decryption algorithm is given under:
def decrypt_bytes(encrypted_data: bytes, offset: int, dimension: int) -> bytes:
decrypted_size = dimension - 1
decrypted_data = bytearray(decrypted_size)
encrypted_data_ = encrypted_data[offset : offset + size]
key = encrypted_data_[0]
i = 0
whereas i != decrypted_size:
decrypted_data[i] = key ^ encrypted_data_[i + 1]
key = (key + ((key << ((i % 5) + 1)) | (key >> (7 - (i % 5))))) & 0xFF
i += 1
return bytes(decrypted_data)
The strings contained within the configuration blob are encrypted utilizing the identical scheme, nevertheless the ids (or offsets) of every string are obfuscated; it provides two further layers of obfuscation that have to be resolved. Beneath, we will resolve further obfuscation layers to decrypt strings from the configuration:
def decrypt_configuration_string(id: int) -> bytes:
return decrypt_bytes(
*get_configuration_encrypted_string(
get_configuration_dword(id)))
Every operate is given under:
The get_configuration_dword
operate
def get_configuration_dword(id: int) -> int:
b = ida_bytes.get_bytes(CONFIGURATION_VA + id, 4)
return b[0] + (b[1] + (b[2] + (b[3] << 8) << 8) << 8)
The get_configuration_encrypted_strng
operate
def get_configuration_encrypted_string(id: int) -> tuple[int, int]:
ea = CONFIGURATION_VA + id
v2 = 0
i = 0
whereas i <= 63:
c = ida_bytes.get_byte(ea)
v6 = (c & 127) << i
v2 = (v2 | v6) & 0xFFFFFFFF
ea += 1
if c >= 0:
break
i += 7
return ea, v2
Persistence
BLOODALCHEMY maintains persistence by copying itself into its persistence folder with the trail suffix Testtest.exe
,
BLOODALCHEMY folder and binary title
The foundation listing of the persistence folder is chosen primarily based on its present privilege stage, it may be both:
%ProgramFiles%
%ProgramFiles(x86)%
%Appdata%
%LocalAppDatapercentPrograms
BLOODALCHEMY root persistence folder alternative
Persistence is achieved through completely different strategies relying on the configuration:
- As a service
- As a registry key
- As a scheduled job
- Utilizing COM interfaces
To establish the persistence mechanisms, we will use the uninstall command to look at the completely different ways in which the malware removes persistence.
As a service named Check
.
BLOODALCHEMY deleting beforehand put in service
As a registry key at CurrentVersionRun
BLOODALCHEMY deleting “CurrentVersionRun” persistence registry key
As a scheduled job, working with SYSTEM privilege through schtask.exe
:
b'schtasks.exe /CREATE /SC %s /TN "%s" /TR "'%s'" /RU "NT AUTHORITYSYSTEM" /Fb'
Utilizing the TaskScheduler::ITaskService
COM interface. The intent of this persistence mechanism is presently unknown.
Instantiation of the ITaskService COM interface
Working modes
The malware has completely different working modes relying on its configuration:
- Inside the primary or separate course of thread
- Create a Home windows course of and inject a shellcode into it
- As a service
The malware can both work inside the primary course of thread.
Functionality operate referred to as inside the primary operate
Or run in a separate thread.
Functionality operate referred to as in a brand new thread
Or create a Home windows course of from a hardcoded record and inject a shellcode handed by parameter to the entry level utilizing the WriteProcessMemory+QueueUserAPC+ResumeThread methodology.
Course of injection working methodology
Record of goal binaries for course of injection
The shellcode is contained within the parameters we name p_interesting_data
. This parameter is definitely a pointer to a construction containing each the malware configuration and executable binary knowledge.
Entrypoint prototype
Offered shellcode copied within the distant course of
Remaining a part of the method injection process
Or set up and run itself as a service. On this situation, the service title and outline can be Check
and Digital Imaging System
:
Identify and outline strings used to put in the BLOODALCHEMY service
Additionally when working as a service and began by the service supervisor the malware will masquerade itself as stopped by first setting the service standing to “SERVICE_RUNNING” then setting the standing to “SERVICE_STOPPED” whereas actually the malware continues to be working.
BLOODALCHEMY’s service entry level masquerading service standing
Communication
The malware communicates utilizing both the HTTP protocol, named pipes, or sockets.
When utilizing the HTTP protocol the malware requests the next URI /Inform/logger/.
URI used to hook up with C2
On this situation, BLOODALCHEMY will attempt to use any proxy server discovered within the registry key SOFTWAREMicrosoftHome windowsCurrentVersionWeb Settings
.
Host proxy info gathered from registry
We didn’t uncover any C2 infrastructure with our pattern, however the URL may look one thing like this: https://malwa[.]re/Inform/logger
When utilizing a named pipe, the title is randomly generated utilizing the present PID as seed.
Random pipe title era seeded with present PID
Whereas ready for a shopper to hook up with this named pipe the malware scans the working processes and checks that its mother or father course of continues to be working, this can be to restrict entry to the named pipe. That stated, the malware will not be checking that the pipe shopper is the right mother or father course of, solely that the mother or father course of is working. This introduces flawed logic in defending the named pipe.
Retrieve mother or father PID
Flawed verify for proscribing pipe entry to mother or father course of
From the malware strings and imports we all know that the malware can even function utilizing TCP/UDP sockets.
Utilization of the socket API in one of many implementations of the “communication” interface
Whereas we haven’t made any conclusions about their utilization, we record all of the protocols discovered within the encrypted strings.
- DNS://
- HTTP://
- HTTPS://
- MUX://
- UDP://
- SMB://
- SOCKS5://
- SOCKS4://
- TCP://
For all protocols the info will be encrypted, LZNT1 compressed, and/or Base64-encoded.
Instructions
The malware solely comprises a number of instructions with precise results:
- Write/overwrite the malware toolset
- Launch its malware binary
Check.exe
- Uninstall and terminate
- Collect host info
There are three instructions that write (or overwrite) the malware software set with the acquired Base64-encoded binary knowledge:
- Both the malware binary (
Check.exe
) - the sideloaded DLL (
BrLogAPI.dll
) - or the primary trusted binary (
BrDifxapi.exe
)
BLOODALCHEMY software set overwrite instructions
One command that launches the Check.exe
binary within the persistence folder.
BLOODALCHEMY command to run the malware executable binary
The uninstall and terminate itself command will first delete all its information at particular areas then take away any persistence registry key or scheduled job, then take away put in service and end by terminating itself.
Command to uninstall and terminate itself
Uninstall operate
One host info gathering command: CPU, OS, show, community, and many others.
Info gathering command
Abstract
BLOODALCHEMY is a backdoor shellcode containing solely unique code(no statically linked libraries). This code seems to be crafted by skilled malware builders.
The backdoor comprises modular capabilities primarily based on its configuration. These capabilities embrace a number of persistence, C2, and execution mechanisms.
Whereas unconfirmed, the presence of so few efficient instructions signifies that the malware could also be a subfeature of a bigger intrusion set or malware bundle, nonetheless in improvement, or a particularly centered piece of malware for a particular tactical utilization.
BLOODALCHEMY and MITRE ATT&CK
Elastic makes use of the MITRE ATT&CK framework to doc frequent techniques, methods, and procedures that superior persistent threats used towards enterprise networks.
Techniques
Techniques characterize the why of a way or sub-technique. It’s the adversary’s tactical purpose: the explanation for performing an motion.
Malware prevention capabilities
YARA
Elastic Safety has created YARA guidelines to establish this exercise. Beneath are YARA guidelines to establish the BLOODALCHEMY malware:
BLOODALCHEMY
rule Windows_Trojan_BloodAlchemy_1 {
meta:
writer = "Elastic Safety"
creation_date = "2023-05-09"
last_modified = "2023-06-13"
threat_name = "Home windows.Trojan.BloodAlchemy"
license = "Elastic License v2"
os = "home windows"
strings:
$a1 = { 55 8B EC 51 83 65 FC 00 53 56 57 BF 00 20 00 00 57 6A 40 FF 15 }
$a2 = { 55 8B EC 81 EC 80 00 00 00 53 56 57 33 FF 8D 45 80 6A 64 57 50 89 7D E4 89 7D EC 89 7D F0 89 7D }
situation:
all of them
}
rule Windows_Trojan_BloodAlchemy_2 {
meta:
writer = "Elastic Safety"
creation_date = "2023-05-09"
last_modified = "2023-06-13"
threat_name = "Home windows.Trojan.BloodAlchemy"
license = "Elastic License v2"
os = "home windows"
strings:
$a1 = { 55 8B EC 83 EC 54 53 8B 5D 08 56 57 33 FF 89 55 F4 89 4D F0 BE 00 00 00 02 89 7D F8 89 7D FC 85 DB }
$a2 = { 55 8B EC 83 EC 0C 56 57 33 C0 8D 7D F4 AB 8D 4D F4 AB AB E8 42 10 00 00 8B 7D F4 33 F6 85 FF 74 03 8B 77 08 }
situation:
any of them
}
rule Windows_Trojan_BloodAlchemy_3 {
meta:
writer = "Elastic Safety"
creation_date = "2023-05-10"
last_modified = "2023-06-13"
threat_name = "Home windows.Trojan.BloodAlchemy"
license = "Elastic License v2"
os = "home windows"
strings:
$a = { 55 8B EC 83 EC 38 53 56 57 8B 75 08 8D 7D F0 33 C0 33 DB AB 89 5D C8 89 5D D0 89 5D D4 AB 89 5D }
situation:
all of them
}
rule Windows_Trojan_BloodAlchemy_4 {
meta:
writer = "Elastic Safety"
creation_date = "2023-05-10"
last_modified = "2023-06-13"
threat_name = "Home windows.Trojan.BloodAlchemy"
license = "Elastic License v2"
os = "home windows"
strings:
$a = { 55 8B EC 83 EC 30 53 56 57 33 C0 8D 7D F0 AB 33 DB 68 02 80 00 00 6A 40 89 5D FC AB AB FF 15 28 }
situation:
all of them
}
Observations
All observables are additionally out there for download in each ECS and STIX format in a mixed zip bundle.
The next observables have been mentioned on this analysis.
Observable | Sort | Identify | Reference |
---|---|---|---|
e14ee3e2ce0010110c409f119d56f6151fdca64e20d902412db46406ed89009a |
SHA-256 | BrLogAPI.dll |
BLOODALCHEMY loader |
25268bc07b64d0d1df441eb6f4b40dc44a6af568be0657533088d3bfd2a05455 |
SHA-256 | NA | BLOODALCHEMY payload |