DeepSec 2024 Talk: The Malicious Bloodline Inheritance: Dissecting Deed RAT and Blood Alchemy – You Nakatsuru, Kiyotaka Tamada & Suguru Ishimaru
ShadowPad is a particularly notorious malware family used in Advanced Persistent Threat (APT) campaigns since 2017. ShadowPad use spread to various groups beginning in 2019, and a ShadowPad builder was disclosed in June 2024. One reason ShadowPad has garnered so much attention from security researchers is that it is an advanced modular type fileless RAT with a complex structure that is difficult to analyze.
In July 2023, Deed RAT was published by Positive Security as a variant of ShadowPad. Furthermore, Blood Alchemy malware was also discovered as another variant of Deed RAT in April by ICI, with evidence such as unique data structures, malware configurations, loading schemes, and code similarities.
However, important features of both Deed RAT and Blood Alchemy, such as the C2 communication scheme, loading additional modules, and details of backdoor commands, were missing from the past reports. Thus, we conducted further investigation and analysis based on the published research results and deeply disclosed the communication protocols and doubly linked list for managing additional modules, which are quite unique. Additionally, we confirmed more code similarities that were not mentioned in the publicly available information, further establishing the relationships between Deed RAT and Blood Alchemy.
Moreover, we investigated a server that hosted various tools along with Deed RAT between October 2023 and April 2024. Through this investigation, we uncovered another relationship between threat groups involving ShadowPad and Deed RAT, as well as the TTPs of the attack using Deed RAT.
In our talk, we will reveal the inherited relationships between the three malware families, from ShadowPad to Blood Alchemy, based on the code similarities and TTPs that have not been clarified so far. We will also describe further details of Deed RAT and Blood Alchemy’s implementation, including our configuration parsers for them, which will be useful for assisting threat researchers and malware analysts.
We asked You, Kiyotaka and Suguru a few more questions about their talk.
Please tell us the top 5 facts about your talk.
Just three, simply.
- We will describe sophisticated APT activities involving DeedRAT and BloodAlchemy in 2023.
- This talk will reveal details about DeedRAT and BloodAlchemy, two closely related malware families based on ShadowPad.
- We believe, based on our research, that Chinese-speaking actors are likely behind these attacks. These attacks are likely ongoing and highly stealthy, making them difficult to detect and defend against.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
The inspiration for this talk came directly from our research, where we encountered highly advanced and persistent threats that underscored the need for long-term vigilance. In facing these challenges, we realized that sharing intelligence on these stealth-focused activities is no longer optional but an urgent necessity. Actually, collaborative efforts from us across different companies, each sharing knowledge and supporting one another, were key in creating this talk.
Why do you think this is an important topic?
This topic is essential because stealthy, targeted attacks increasingly employ complex malware, posing substantial detection and mitigation challenges. Given the sophisticated evasion techniques and persistence of such threats, it’s crucial to raise awareness and encourage proactive countermeasures to stay ahead.
Is there something you want everybody to know – some good advice for our readers, maybe?
One key message we would like to share is that, even after the prominence of ShadowPad, similar high-impact threats have already emerged and are active in the wild. By understanding the specific requirements for detection and countermeasures, as illustrated in our analysis, you’ll be better prepared. Remember, even if these threats haven’t directly impacted you yet, they could be operating undetected within your environment.
A prediction for the future – what do you think will be the next innovations or future downfalls for your field of expertise / the topic of your talk in particular?
Looking forward, we hope to see enhanced defenses against sophisticated, targeted attack activities, through deep dives into malware reversing and more robust attribution efforts across various cases. We also expect more active sharing of intelligence on stealthy attack patterns like these, as proactive intelligence exchange will be crucial in countering these evolving threats.
With a background in security incident response support and malware analysis and countermeasure research, You Nakatsuru joined Secureworks in March 2016. Currently, as a researcher on the Counter Threat Unit team, he focuses on investigating the latest cyber attacks, particularly those targeting Japanese enterprises. He is also actively involved in incident response and malware analysis.
Kiyotaka Tamada, Secureworks: He has joined the Counter Threat Unit (CTU) of Secureworks in 2018, and is engaged in malware analysis and forensic analysis during Incident Response service, as well as collecting and analyzing cyber threat intelligence targeting Japan. He also worked at the Regional TrendLabs (RTL) of Trend Micro for 8 years. He posted some technical blogs on trendmicro.com and secureworks.jp, and he presented at JSAC 2019, 2020 and 2022.
Suguru Ishimaru, ITOCHU Cyber & Intelligence Inc.: In 2023, he entered ITOCHU Cyber & Intelligence Inc. (ICI) as a senior cybersecurity researcher to analyze malware, to research Advanced Persistent Threat (APT), to review security solutions and to handle incident response for protecting the ITOCHU group. Before moving to ICI, he worked as a senior researcher in the Global Research and Analysis Team (GReAT) at Kaspersky for around 15 years. Based on his investigations, he posted some technical blogosts on securelist.com and held talks at several security conferences such as Virus Bulletin, SAS, JSAC, Botconf, Objective by the sea, HITCON pacific, HITCON community, GReAT Ideas Green Tea Edition, AVTokyo, FIRST TC and JPAAWG.