Now Reading
Disclosing the BLOODALCHEMY backdoor — Elastic Safety Labs

Disclosing the BLOODALCHEMY backdoor — Elastic Safety Labs

2023-10-16 02:25:43

Preamble

BLOODALCHEMY is an x86 backdoor written in C and located as shellcode injected right into a signed benign course of. It was found in our evaluation and is a part of the REF5961 intrusion set, which you’ll examine here.

BLOODALCHEMY requires a particular loader to be run as a result of it is not reflexive (it doesn’t have the aptitude to load and execute by itself). Moreover, BLOODALCHEMY isn’t compiled as place impartial (when loaded at a unique base tackle than the popular one the binary must be patched to take note of the brand new “place”).

In our evaluation, the signed benign course of was beforehand sideloaded with a malicious DLL. The DLL was lacking from the pattern knowledge however was doubtless the container and the loader of the BLOODALCHEMY shellcode.

We imagine from our analysis that the malware is a part of an even bigger toolset and continues to be in energetic improvement primarily based on its present lack of capabilities, enabled debug logging of exceptions, and the existence of take a look at strings used for persistence service setup.

Key takeaways

  • BLOODALCHEMY is probably going a brand new backdoor and continues to be in energetic improvement
  • BLOODALCHEMY abuses a official binary for loading
  • BLOODALCHEMY has a number of working modes, persistence mechanisms, and communication choices

Preliminary execution

Throughout the preliminary execution part, the adversary deployed a benign utility, BrDifxapi.exe, which is weak to DLL side-loading. When deploying this weak utility the adversary may side-load the unsigned BLOODALCHEMY loader (BrLogAPI.dll) and inject shellcode into the present course of.

alt_text
Command-line used to execute the BLOODALCHEMY loader

alt_text
Faux BrLogApi.dll, a part of BLOODALCHEMY toolset, sideloaded by BrDifxapi.exe

BrDifxapi.exe is a binary developed by the Japanese firm Brother Industries and the model we noticed has a revoked signature.

alt_text
BrDifxapi.exe with revoked signature

The official DLL named BrLogApi.dll is an unsigned DLL additionally by Brother Industries. BLOODALCHEMY makes use of the identical DLL title.

alt_text
The official BrLogApi.dll is an unsigned DLL file

Code evaluation

Information Obfuscation

To cover its strings the BLOODALCHEMY malware makes use of a basic approach the place every string is encrypted, preceded by a single-byte decryption key, and eventually, all concatenated collectively to kind what we name an encrypted blob.

Whereas the strings aren’t null-terminated, the offset from the start of the blob, the string, and the scale are handed as a parameter to the decryption operate. Right here is the encrypted blob format:

Blob = Key0 :EncryptedString0 + Key1:EncryptedString1 + … + KeyN:EncryptedStringN

The implementation in Python of the string decryption algorithm is given under:

def decrypt_bytes(encrypted_data: bytes, offset: int, dimension: int) -> bytes:
    decrypted_size = dimension - 1
    decrypted_data = bytearray(decrypted_size)

    encrypted_data_ = encrypted_data[offset : offset + size]
    key = encrypted_data_[0]

    i = 0
    whereas i != decrypted_size:
            decrypted_data[i] = key ^ encrypted_data_[i + 1]
           key = (key + ((key << ((i % 5) + 1)) | (key >> (7 - (i % 5))))) & 0xFF
           i += 1

    return bytes(decrypted_data)

The strings contained within the configuration blob are encrypted utilizing the identical scheme, nevertheless the ids (or offsets) of every string are obfuscated; it provides two further layers of obfuscation that have to be resolved. Beneath, we will resolve further obfuscation layers to decrypt strings from the configuration:

def decrypt_configuration_string(id: int) -> bytes:
        return decrypt_bytes(
                *get_configuration_encrypted_string(
                        get_configuration_dword(id)))

Every operate is given under:

The get_configuration_dword operate

def get_configuration_dword(id: int) -> int:
        b = ida_bytes.get_bytes(CONFIGURATION_VA + id, 4)
        return b[0] + (b[1] + (b[2] + (b[3] << 8) << 8) << 8)

The get_configuration_encrypted_strng operate

def get_configuration_encrypted_string(id: int) -> tuple[int, int]:
         ea = CONFIGURATION_VA + id

        v2 = 0
        i = 0

        whereas i <= 63:
            c = ida_bytes.get_byte(ea)

            v6 = (c & 127) << i
            v2 = (v2 | v6) & 0xFFFFFFFF

            ea += 1

            if c >= 0:
                break
            
            i += 7
            return ea, v2

Persistence

BLOODALCHEMY maintains persistence by copying itself into its persistence folder with the trail suffix Testtest.exe,

alt_text
BLOODALCHEMY folder and binary title

The foundation listing of the persistence folder is chosen primarily based on its present privilege stage, it may be both:

  • %ProgramFiles%
  • %ProgramFiles(x86)%
  • %Appdata%
  • %LocalAppDatapercentPrograms

alt_text
BLOODALCHEMY root persistence folder alternative

Persistence is achieved through completely different strategies relying on the configuration:

  • As a service
  • As a registry key
  • As a scheduled job
  • Utilizing COM interfaces

To establish the persistence mechanisms, we will use the uninstall command to look at the completely different ways in which the malware removes persistence.

As a service named Check.

alt_text
BLOODALCHEMY deleting beforehand put in service

As a registry key at CurrentVersionRun

alt_text
BLOODALCHEMY deleting “CurrentVersionRun” persistence registry key

As a scheduled job, working with SYSTEM privilege through schtask.exe:

b'schtasks.exe /CREATE /SC %s /TN "%s" /TR "'%s'" /RU "NT AUTHORITYSYSTEM" /Fb'

Utilizing the TaskScheduler::ITaskService COM interface. The intent of this persistence mechanism is presently unknown.

alt_text
Instantiation of the ITaskService COM interface

Working modes

The malware has completely different working modes relying on its configuration:

  • Inside the primary or separate course of thread
  • Create a Home windows course of and inject a shellcode into it
  • As a service

The malware can both work inside the primary course of thread.

alt_text
Functionality operate referred to as inside the primary operate

Or run in a separate thread.

alt_text
Functionality operate referred to as in a brand new thread

Or create a Home windows course of from a hardcoded record and inject a shellcode handed by parameter to the entry level utilizing the WriteProcessMemory+QueueUserAPC+ResumeThread methodology.

alt_text
Course of injection working methodology

alt_text
Record of goal binaries for course of injection

The shellcode is contained within the parameters we name p_interesting_data. This parameter is definitely a pointer to a construction containing each the malware configuration and executable binary knowledge.

alt_text
Entrypoint prototype

alt_text
Offered shellcode copied within the distant course of

alt_text
Remaining a part of the method injection process

Or set up and run itself as a service. On this situation, the service title and outline can be Check and Digital Imaging System:

alt_text
Identify and outline strings used to put in the BLOODALCHEMY service

Additionally when working as a service and began by the service supervisor the malware will masquerade itself as stopped by first setting the service standing to “SERVICE_RUNNING” then setting the standing to “SERVICE_STOPPED” whereas actually the malware continues to be working.

alt_text
BLOODALCHEMY’s service entry level masquerading service standing

Communication

The malware communicates utilizing both the HTTP protocol, named pipes, or sockets.

When utilizing the HTTP protocol the malware requests the next URI /Inform/logger/.

alt_text
URI used to hook up with C2

On this situation, BLOODALCHEMY will attempt to use any proxy server discovered within the registry key SOFTWAREMicrosoftHome windowsCurrentVersionWeb Settings.

alt_text
Host proxy info gathered from registry

We didn’t uncover any C2 infrastructure with our pattern, however the URL may look one thing like this: https://malwa[.]re/Inform/logger

When utilizing a named pipe, the title is randomly generated utilizing the present PID as seed.

See Also

alt_text
Random pipe title era seeded with present PID

Whereas ready for a shopper to hook up with this named pipe the malware scans the working processes and checks that its mother or father course of continues to be working, this can be to restrict entry to the named pipe. That stated, the malware will not be checking that the pipe shopper is the right mother or father course of, solely that the mother or father course of is working. This introduces flawed logic in defending the named pipe.

alt_text
Retrieve mother or father PID

alt_text
Flawed verify for proscribing pipe entry to mother or father course of

From the malware strings and imports we all know that the malware can even function utilizing TCP/UDP sockets.

alt_text
Utilization of the socket API in one of many implementations of the “communication” interface

Whereas we haven’t made any conclusions about their utilization, we record all of the protocols discovered within the encrypted strings.

  • DNS://
  • HTTP://
  • HTTPS://
  • MUX://
  • UDP://
  • SMB://
  • SOCKS5://
  • SOCKS4://
  • TCP://

For all protocols the info will be encrypted, LZNT1 compressed, and/or Base64-encoded.

Instructions

The malware solely comprises a number of instructions with precise results:

  • Write/overwrite the malware toolset
  • Launch its malware binary Check.exe
  • Uninstall and terminate
  • Collect host info

There are three instructions that write (or overwrite) the malware software set with the acquired Base64-encoded binary knowledge:

  • Both the malware binary (Check.exe)
  • the sideloaded DLL (BrLogAPI.dll)
  • or the primary trusted binary (BrDifxapi.exe)

alt_text
BLOODALCHEMY software set overwrite instructions

One command that launches the Check.exe binary within the persistence folder.

alt_text
BLOODALCHEMY command to run the malware executable binary

The uninstall and terminate itself command will first delete all its information at particular areas then take away any persistence registry key or scheduled job, then take away put in service and end by terminating itself.

alt_text
Command to uninstall and terminate itself

alt_text
Uninstall operate

One host info gathering command: CPU, OS, show, community, and many others.

alt_text
Info gathering command

Abstract

BLOODALCHEMY is a backdoor shellcode containing solely unique code(no statically linked libraries). This code seems to be crafted by skilled malware builders.

The backdoor comprises modular capabilities primarily based on its configuration. These capabilities embrace a number of persistence, C2, and execution mechanisms.

Whereas unconfirmed, the presence of so few efficient instructions signifies that the malware could also be a subfeature of a bigger intrusion set or malware bundle, nonetheless in improvement, or a particularly centered piece of malware for a particular tactical utilization.

BLOODALCHEMY and MITRE ATT&CK

Elastic makes use of the MITRE ATT&CK framework to doc frequent techniques, methods, and procedures that superior persistent threats used towards enterprise networks.

Techniques

Techniques characterize the why of a way or sub-technique. It’s the adversary’s tactical purpose: the explanation for performing an motion.

Malware prevention capabilities

YARA

Elastic Safety has created YARA guidelines to establish this exercise. Beneath are YARA guidelines to establish the BLOODALCHEMY malware:

BLOODALCHEMY
rule Windows_Trojan_BloodAlchemy_1 {
    meta:
        writer = "Elastic Safety"
        creation_date = "2023-05-09"
        last_modified = "2023-06-13"
        threat_name = "Home windows.Trojan.BloodAlchemy"
        license = "Elastic License v2"
        os = "home windows"

    strings:
        $a1 = { 55 8B EC 51 83 65 FC 00 53 56 57 BF 00 20 00 00 57 6A 40 FF 15 }
        $a2 = { 55 8B EC 81 EC 80 00 00 00 53 56 57 33 FF 8D 45 80 6A 64 57 50 89 7D E4 89 7D EC 89 7D F0 89 7D }

    situation:
        all of them
}

rule Windows_Trojan_BloodAlchemy_2 {
    meta:
        writer = "Elastic Safety"
        creation_date = "2023-05-09"
        last_modified = "2023-06-13"
        threat_name = "Home windows.Trojan.BloodAlchemy"
        license = "Elastic License v2"
        os = "home windows"

    strings:
        $a1 = { 55 8B EC 83 EC 54 53 8B 5D 08 56 57 33 FF 89 55 F4 89 4D F0 BE 00 00 00 02 89 7D F8 89 7D FC 85 DB }
        $a2 = { 55 8B EC 83 EC 0C 56 57 33 C0 8D 7D F4 AB 8D 4D F4 AB AB E8 42 10 00 00 8B 7D F4 33 F6 85 FF 74 03 8B 77 08 }

    situation:
        any of them
}

rule Windows_Trojan_BloodAlchemy_3 {
    meta:
        writer = "Elastic Safety"
        creation_date = "2023-05-10"
        last_modified = "2023-06-13"
        threat_name = "Home windows.Trojan.BloodAlchemy"
        license = "Elastic License v2"
        os = "home windows"

    strings:
        $a = { 55 8B EC 83 EC 38 53 56 57 8B 75 08 8D 7D F0 33 C0 33 DB AB 89 5D C8 89 5D D0 89 5D D4 AB 89 5D }

    situation:
        all of them
}

rule Windows_Trojan_BloodAlchemy_4 {
    meta:
        writer = "Elastic Safety"
        creation_date = "2023-05-10"
        last_modified = "2023-06-13"
        threat_name = "Home windows.Trojan.BloodAlchemy"
        license = "Elastic License v2"
        os = "home windows"

    strings:
        $a = { 55 8B EC 83 EC 30 53 56 57 33 C0 8D 7D F0 AB 33 DB 68 02 80 00 00 6A 40 89 5D FC AB AB FF 15 28 }

    situation:
        all of them
}

Observations

All observables are additionally out there for download in each ECS and STIX format in a mixed zip bundle.

The next observables have been mentioned on this analysis.

Observable Sort Identify Reference
e14ee3e2ce0010110c409f119d56f6151fdca64e20d902412db46406ed89009a SHA-256 BrLogAPI.dll BLOODALCHEMY loader
25268bc07b64d0d1df441eb6f4b40dc44a6af568be0657533088d3bfd2a05455 SHA-256 NA BLOODALCHEMY payload

Source Link

What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top