Introduction:
The Blister malware campaign is a sophisticated and ongoing cyber threat that employs advanced techniques to evade detection and compromise Windows systems. This analysis aims to provide a detailed examination of its operation and offer insights into how organizations can better defend against it.
Malware overview:
- Blister is a multi-stage malware campaign known for leveraging valid code-signing certificates issued by Sectigo to "Blist LLC," linked to a mail.ru email address.
- It disguises malicious components as legitimate executable files, thereby achieving a remarkably low detection rate.
- The malware consists of a loader that deploys a Remote Access Trojan (RAT) as its second-stage payload.
- Blister employs techniques such as directory creation, working directory manipulation, and embedded payload execution to avoid detection.
Upgrade and new threat vector:
- Blister's most recent version incorporates code-signing certificates validated in August 2021, suggesting continuous development.
- Threat actors use code-signing certificates to bypass basic static security checks and compromise target systems.
- The second-stage payload executes the encoded RAT or CobaltStrike beacon via a benign-looking .dll file, which has minimal traces, contributing to its low detection on platforms like VirusTotal.
SIEM rules refinement:
- To enhance SIEM (Security Information and Event Management) rules to detect Blister-related activities, organizations should focus on monitoring processes like Rundll32.exe initiating suspicious .dll files.
- SIEM rules should flag directory creation and manipulation within user Temp folders.
- Anomalous certificate validation dates, particularly those linked to Sectigo and Blist LLC, should trigger alerts.
- Establishing baselines for normal system behaviour can aid in identifying deviations that may indicate Blister-related activities.
Indicators of Compromise (IOCs):
File Hashes (MD5):
- e6404260b4e42b7aa75bb0a96627ed3a
- db8827d0d7b2addc05719e407216da14
- 755f50457416aeb7fee95a67abfea9fe
- 6f76505a91c91c29238f0ed70b369417
- 5a7dea7aa86ccd600f5a97e3b53f7338
- 3efcd76417a185e48da71e22d230c547
File Hashes (SHA1):
- f8fa1ba14df6f8ab2b307ee0ce04054ea9d538c0
- f534e15bbc104cafab80f954ba30f12de87b0f48
- d58e06727c551756cbee1fc6539929553a09878b
- c039362e891b01040c20e75e16b02169c512aebd
- bb69d5da32164813be5af29d31edc951a8f1f088
File Hashes (SHA256):
- fe7357d48906b68f094a81d19cc0ff93f56cc40454ac5f00e2e2d9c8ccdbc388
- f5104d0ead2f178711b1e23db3c16846de7d1a3ac04dbe09bacebb847775d76d
- ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8
- d54dfedda0efa36ed445d501845b61ab73c2102786be710ac19f697fc8d4ca5c
- cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028
Domains:
- discountshadesdirect.com
- clippershipintl.com
- bimelectrical.com
IPv4 addresses:
- 93.115.18.248
- 188.68.221.203
- 185.170.213.186
Signed loaders (File Hashes):
- ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8
- cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46047446e9753a926
- 7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f
- 84a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc6652a5414dab440b74
- cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028
DLL (SHA256):
- BE7E259D5992180EADFE3F4F3AB1A5DECC6A394DF60C7170550B3D222FCE5F19
These IOCs may evolve over time, so it's crucial to continuously update and adapt security measures to stay protected against emerging threats.
Preventive measures:
- Organizations must maintain robust endpoint security solutions that include behaviour-based anomaly detection to catch Blister's evasion techniques.
- Regularly update and patch systems to minimize vulnerabilities.
- Monitor certificate usage, especially those issued by reputable CAs like Sectigo, and investigate suspicious or expired certificates.
- Implement strict access controls and least privilege principles to limit potential attack vectors.
- Educate employees about social engineering and phishing tactics, as these are common entry points for Blister and similar threats.
Conclusion:
- The Blister malware campaign demonstrates a high level of sophistication and adaptability in evading detection.
- Organizations need to remain vigilant, continually update their security measures, and refine SIEM rules to detect and respond to evolving threats.
- By understanding the technical intricacies of Blister and implementing proactive security measures, organizations can mitigate the risks associated with this malware and safeguard their systems and data.
Reference:
https://www.cloudsek.com/blog/technical-analysis-of-code-signed-blister-malware-campaign-part-1
https://thehackernews.com/2023/09/new-blister-malware-update-fuelling.html