You can now steal sensitive intelligence data using new tools.
Elastic Security Labs researchers have identified a new backdoor called BLOODALCHEMY, which has been used in attacks against ASEAN member nations by Chinese cybercriminals. The backdoor is part of their REF5961 intrusion kit, targeting x86 systems. Despite its functionality, BLOODALCHEMY is considered an incomplete project with limited capabilities. The backdoor uses commands such as writing or overwriting the toolchain, executing a binary, deleting and shutting down, and gathering host data. To ensure persistence, the backdoor copies itself to a specific folder, which may be ProgramFiles, ProgramFiles(x86), Appdata, or LocalAppDataPrograms. BLOODALCHEMY is part of REF5961's larger toolkit for both ongoing and previous attacks. The discovery of malware samples in the earlier REF2924 intrusion kit supports suspicions that REF5961 operators have connections to China. The three new REF5961 malware families, EAGERBEE, RUDEBIRD, and DOWNTOWN, are believed to be state-sponsored cyber spies.