Protect Your Data and Boost Compliance: DPDP Act and Cybersecurity for Indian Manufacturers

Register Today
blister-malware

Introduction:

The Blister malware campaign is a sophisticated and ongoing cyber threat that employs advanced techniques to evade detection and compromise Windows systems. This analysis aims to provide a detailed examination of its operation and offer insights into how organizations can better defend against it.

Malware overview:

  • Blister is a multi-stage malware campaign known for leveraging valid code-signing certificates issued by Sectigo to "Blist LLC," linked to a mail.ru email address.
  • It disguises malicious components as legitimate executable files, thereby achieving a remarkably low detection rate.
  • The malware consists of a loader that deploys a Remote Access Trojan (RAT) as its second-stage payload.
  • Blister employs techniques such as directory creation, working directory manipulation, and embedded payload execution to avoid detection.

Upgrade and new threat vector:

  • Blister's most recent version incorporates code-signing certificates validated in August 2021, suggesting continuous development.
  • Threat actors use code-signing certificates to bypass basic static security checks and compromise target systems.
  • The second-stage payload executes the encoded RAT or CobaltStrike beacon via a benign-looking .dll file, which has minimal traces, contributing to its low detection on platforms like VirusTotal.

SIEM rules refinement:

  • To enhance SIEM (Security Information and Event Management) rules to detect Blister-related activities, organizations should focus on monitoring processes like Rundll32.exe initiating suspicious .dll files.
  • SIEM rules should flag directory creation and manipulation within user Temp folders.
  • Anomalous certificate validation dates, particularly those linked to Sectigo and Blist LLC, should trigger alerts.
  • Establishing baselines for normal system behaviour can aid in identifying deviations that may indicate Blister-related activities.

Indicators of Compromise (IOCs):

File Hashes (MD5):

  • e6404260b4e42b7aa75bb0a96627ed3a
  • db8827d0d7b2addc05719e407216da14
  • 755f50457416aeb7fee95a67abfea9fe
  • 6f76505a91c91c29238f0ed70b369417
  • 5a7dea7aa86ccd600f5a97e3b53f7338
  • 3efcd76417a185e48da71e22d230c547

File Hashes (SHA1):

  • f8fa1ba14df6f8ab2b307ee0ce04054ea9d538c0
  • f534e15bbc104cafab80f954ba30f12de87b0f48
  • d58e06727c551756cbee1fc6539929553a09878b
  • c039362e891b01040c20e75e16b02169c512aebd
  • bb69d5da32164813be5af29d31edc951a8f1f088

File Hashes (SHA256):

  • fe7357d48906b68f094a81d19cc0ff93f56cc40454ac5f00e2e2d9c8ccdbc388
  • f5104d0ead2f178711b1e23db3c16846de7d1a3ac04dbe09bacebb847775d76d
  • ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8
  • d54dfedda0efa36ed445d501845b61ab73c2102786be710ac19f697fc8d4ca5c
  • cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028

Domains:

  • discountshadesdirect.com
  • clippershipintl.com
  • bimelectrical.com

IPv4 addresses:

  • 93.115.18.248
  • 188.68.221.203
  • 185.170.213.186

Signed loaders (File Hashes):

  • ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8
  • cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46047446e9753a926
  • 7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f
  • 84a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc6652a5414dab440b74
  • cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028

DLL (SHA256):

  • BE7E259D5992180EADFE3F4F3AB1A5DECC6A394DF60C7170550B3D222FCE5F19

These IOCs may evolve over time, so it's crucial to continuously update and adapt security measures to stay protected against emerging threats.

Preventive measures:

  • Organizations must maintain robust endpoint security solutions that include behaviour-based anomaly detection to catch Blister's evasion techniques.
  • Regularly update and patch systems to minimize vulnerabilities.
  • Monitor certificate usage, especially those issued by reputable CAs like Sectigo, and investigate suspicious or expired certificates.
  • Implement strict access controls and least privilege principles to limit potential attack vectors.
  • Educate employees about social engineering and phishing tactics, as these are common entry points for Blister and similar threats.

Conclusion:

  • The Blister malware campaign demonstrates a high level of sophistication and adaptability in evading detection.
  • Organizations need to remain vigilant, continually update their security measures, and refine SIEM rules to detect and respond to evolving threats.
  • By understanding the technical intricacies of Blister and implementing proactive security measures, organizations can mitigate the risks associated with this malware and safeguard their systems and data.

Reference: 

https://www.cloudsek.com/blog/technical-analysis-of-code-signed-blister-malware-campaign-part-1

https://thehackernews.com/2023/09/new-blister-malware-update-fuelling.html

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.