Blister (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.blister (Back to overview)

Blister

aka: COLORFAKE

VTCollection

Elastic observed this loader coming with valid code signatures, being used to deploy secondary payloads in-memory.

References

2023-11-01 ⋅ nccgroup ⋅ Mick Koomen
Popping Blisters for research: An overview of past payloads and exploring recent developments
Blister Cobalt Strike

2023-08-24 ⋅ Elastic ⋅ Daniel Stepanic, Salim Bitam
Revisting BLISTER: New development of the BLISTER loader
Blister

2022-06-13 ⋅ Jorge Testa ⋅ Jorge Testa
Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker

2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker

2022-05-25 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
SocGholish Campaigns and Initial Access Kit
FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-05-09 ⋅ Microsoft Security ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot

2022-05-06 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence
Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity
FAKEUPDATES Blister Cobalt Strike LockBit

2022-05-05 ⋅ Elastic ⋅ Cyril François, Daniel Stepanic, Salim Bitam
BLISTER Loader
Blister

2022-04-05 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Earle Maui Earnshaw, Ian Kenefick, Lucas Silva, Mohamed Fahmy, Ryan Maglaque
Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload (IoCs)
FAKEUPDATES Blister LockBit

2022-04-05 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Earle Earnshaw, Ian Kenefick, Lucas Silva, Mohamed Fahmy, Ryan Maglaque
Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload
Blister LockBit

2022-02-17 ⋅ Cloudsek ⋅ Anandeshwar Unnikrishnan, Hansika Saxena
Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 2)
Blister

2022-01-24 ⋅ Red Canary ⋅ The Red Canary Team
Intelligence Insights: January 2022
Blister Conficker

2022-01-07 ⋅ Cloudsek ⋅ Anandeshwar Unnikrishnan, Deepanjli Paulraj
Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)
Blister

2021-12-23 ⋅ Elastic ⋅ Joe Desimone, Samir Bousseaden
Elastic Security uncovers BLISTER malware campaign
Blister

Yara Rules

[TLP:WHITE] win_blister_auto (20230808 | Detects win.blister.)

rule win_blister_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.blister."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blister"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33f6 8d4447fe 8975fc 8945f8 3bfe 0f8447010000 }
            // n = 6, score = 100
            //   33f6                 | xor                 esi, esi
            //   8d4447fe             | lea                 eax, [edi + eax*2 - 2]
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   3bfe                 | cmp                 edi, esi
            //   0f8447010000         | je                  0x14d

        $sequence_1 = { 57 ff75fc ffd6 85c0 7529 33c9 41 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   7529                 | jne                 0x2b
            //   33c9                 | xor                 ecx, ecx
            //   41                   | inc                 ecx

        $sequence_2 = { e8???????? 8bf0 85f6 7c2e 6a04 58 8d4d08 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7c2e                 | jl                  0x30
            //   6a04                 | push                4
            //   58                   | pop                 eax
            //   8d4d08               | lea                 ecx, [ebp + 8]

        $sequence_3 = { 8bff 55 8bec b8dc140000 e8???????? a1???????? 33c5 }
            // n = 7, score = 100
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   b8dc140000           | mov                 eax, 0x14dc
            //   e8????????           |                     
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp

        $sequence_4 = { 8b3d???????? 6870010000 684c040000 ff7604 ffd7 8b1d???????? }
            // n = 6, score = 100
            //   8b3d????????         |                     
            //   6870010000           | push                0x170
            //   684c040000           | push                0x44c
            //   ff7604               | push                dword ptr [esi + 4]
            //   ffd7                 | call                edi
            //   8b1d????????         |                     

        $sequence_5 = { 8d45a0 50 ff750c c745a060000000 6891100000 ff36 }
            // n = 6, score = 100
            //   8d45a0               | lea                 eax, [ebp - 0x60]
            //   50                   | push                eax
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   c745a060000000       | mov                 dword ptr [ebp - 0x60], 0x60
            //   6891100000           | push                0x1091
            //   ff36                 | push                dword ptr [esi]

        $sequence_6 = { ff7604 ff75f4 ff75e8 6a02 ff75fc ff15???????? 85c0 }
            // n = 7, score = 100
            //   ff7604               | push                dword ptr [esi + 4]
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   6a02                 | push                2
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_7 = { 8b4e28 8d45f8 50 895df8 e8???????? }
            // n = 5, score = 100
            //   8b4e28               | mov                 ecx, dword ptr [esi + 0x28]
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   895df8               | mov                 dword ptr [ebp - 8], ebx
            //   e8????????           |                     

        $sequence_8 = { ff15???????? 8bc8 0fb701 f7d8 1bc0 23c1 5e }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8bc8                 | mov                 ecx, eax
            //   0fb701               | movzx               eax, word ptr [ecx]
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   23c1                 | and                 eax, ecx
            //   5e                   | pop                 esi

        $sequence_9 = { 50 8b859cf7ffff 8b8c052cf7ffff e8???????? 8985a8f7ffff 85c0 0f8cf9010000 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8b859cf7ffff         | mov                 eax, dword ptr [ebp - 0x864]
            //   8b8c052cf7ffff       | mov                 ecx, dword ptr [ebp + eax - 0x8d4]
            //   e8????????           |                     
            //   8985a8f7ffff         | mov                 dword ptr [ebp - 0x858], eax
            //   85c0                 | test                eax, eax
            //   0f8cf9010000         | jl                  0x1ff

    condition:
        7 of them and filesize < 1822720
}

[TLP:WHITE] win_blister_w0 (20211223 | Detects Blister loader.)

rule win_blister_w0 {
    meta:
        author = "Elastic Security"
        description = "Detects Blister loader."
        creation_date = "2021-12-20"
        last_modified = "2021-12-20"
        os = "Windows"
        category_type = "Trojan"
        family = "Blister"
        threat_name = "Windows.Trojan.Blister"
        reference_sample = "0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00"
        source = "https://www.elastic.co/de/blog/elastic-security-uncovers-blister-malware-campaign"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blister"
        malpedia_rule_date = "20211223"
        malpedia_hash = ""
        malpedia_version = "20211223"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $a1 = {8D 45 DC 89 5D EC 50 6A 04 8D 45 F0 50 8D 45 EC 50 6A FF FF D7}
        $a2 = {75 F7 39 4D FC 0F 85 F3 00 00 00 64 A1 30 00 00 00 53 57 89 75}           
condition:
        any of them
}

Download all Yara Rules

Blister Propose Change

References

Yara Rules

Blister