SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blister (Back to overview)

Blister

aka: COLORFAKE

Elastic observed this loader coming with valid code signatures, being used to deploy secondary payloads in-memory.

References
2023-08-24ElasticSalim Bitam, Daniel Stepanic
@online{bitam:20230824:revisting:2a2c2e3, author = {Salim Bitam and Daniel Stepanic}, title = {{Revisting BLISTER: New development of the BLISTER loader}}, date = {2023-08-24}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader}, language = {English}, urldate = {2023-09-06} } Revisting BLISTER: New development of the BLISTER loader
Blister
2023-08-24ElasticSalim Bitam, Daniel Stepanic
@online{bitam:20230824:revisting:87dde30, author = {Salim Bitam and Daniel Stepanic}, title = {{Revisting BLISTER: New development of the BLISTER loader}}, date = {2023-08-24}, organization = {Elastic}, url = {https://security-labs.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader}, language = {English}, urldate = {2023-08-28} } Revisting BLISTER: New development of the BLISTER loader
Blister
2022-06-13Jorge TestaJorge Testa
@online{testa:20220613:killing:36e9385, author = {Jorge Testa}, title = {{Killing The Bear - Evil Corp}}, date = {2022-06-13}, organization = {Jorge Testa}, url = {https://killingthebear.jorgetesta.tech/actors/evil-corp}, language = {English}, urldate = {2022-07-01} } Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2022-06-02MandiantMandiant Intelligence
@online{intelligence:20220602:to:e15831c, author = {Mandiant Intelligence}, title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}}, date = {2022-06-02}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions}, language = {English}, urldate = {2022-06-04} } To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker
2022-05-25Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20220525:socgholish:f876e0e, author = {Jason Reaves and Joshua Platt}, title = {{SocGholish Campaigns and Initial Access Kit}}, date = {2022-05-25}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee}, language = {English}, urldate = {2022-06-02} } SocGholish Campaigns and Initial Access Kit
FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-06Twitter (@MsftSecIntel)Microsoft Security Intelligence
@online{intelligence:20220506:twitter:7a00df8, author = {Microsoft Security Intelligence}, title = {{Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity}}, date = {2022-05-06}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1522690116979855360}, language = {English}, urldate = {2022-05-09} } Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity
FAKEUPDATES Blister Cobalt Strike LockBit
2022-05-05ElasticCyril François, Daniel Stepanic, Salim Bitam
@online{franois:20220505:blister:9404a29, author = {Cyril François and Daniel Stepanic and Salim Bitam}, title = {{BLISTER Loader}}, date = {2022-05-05}, organization = {Elastic}, url = {https://elastic.github.io/security-research/malware/2022/05/02.blister/article/}, language = {English}, urldate = {2022-05-09} } BLISTER Loader
Blister
2022-04-05Trend MicroEarle Maui Earnshaw, Mohamed Fahmy, Ian Kenefick, Ryan Maglaque, Abdelrhman Sharshar, Lucas Silva
@online{earnshaw:20220405:thwarting:af5a4fd, author = {Earle Maui Earnshaw and Mohamed Fahmy and Ian Kenefick and Ryan Maglaque and Abdelrhman Sharshar and Lucas Silva}, title = {{Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload}}, date = {2022-04-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html}, language = {English}, urldate = {2022-05-05} } Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload
FAKEUPDATES Blister LockBit
2022-04-05Trend MicroEarle Maui Earnshaw, Mohamed Fahmy, Ian Kenefick, Ryan Maglaque, Abdelrhman Sharshar, Lucas Silva
@online{earnshaw:20220405:thwarting:03a6217, author = {Earle Maui Earnshaw and Mohamed Fahmy and Ian Kenefick and Ryan Maglaque and Abdelrhman Sharshar and Lucas Silva}, title = {{Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload (IoCs)}}, date = {2022-04-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt}, language = {English}, urldate = {2022-05-05} } Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload (IoCs)
FAKEUPDATES Blister LockBit
2022-04-05Trend MicroEarle Earnshaw, Mohamed Fahmy, Ian Kenefick, Ryan Maglaque, Abdelrhman Sharshar, Lucas Silva
@online{earnshaw:20220405:thwarting:26d6d77, author = {Earle Earnshaw and Mohamed Fahmy and Ian Kenefick and Ryan Maglaque and Abdelrhman Sharshar and Lucas Silva}, title = {{Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload}}, date = {2022-04-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html}, language = {English}, urldate = {2023-02-06} } Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload
Blister LockBit
2022-02-17CloudsekAnandeshwar Unnikrishnan, Hansika Saxena
@online{unnikrishnan:20220217:technical:54f175d, author = {Anandeshwar Unnikrishnan and Hansika Saxena}, title = {{Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 2)}}, date = {2022-02-17}, organization = {Cloudsek}, url = {https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-2/}, language = {English}, urldate = {2022-05-25} } Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 2)
Blister
2022-01-24Red CanaryThe Red Canary Team
@online{team:20220124:intelligence:32ceda6, author = {The Red Canary Team}, title = {{Intelligence Insights: January 2022}}, date = {2022-01-24}, organization = {Red Canary}, url = {https://redcanary.com/blog/intelligence-insights-january-2022/}, language = {English}, urldate = {2022-01-25} } Intelligence Insights: January 2022
Blister Conficker
2022-01-07CloudsekAnandeshwar Unnikrishnan, Deepanjli Paulraj
@online{unnikrishnan:20220107:technical:f17b752, author = {Anandeshwar Unnikrishnan and Deepanjli Paulraj}, title = {{Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)}}, date = {2022-01-07}, organization = {Cloudsek}, url = {https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1/}, language = {English}, urldate = {2022-05-25} } Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)
Blister
2021-12-23ElasticJoe Desimone, Samir Bousseaden
@online{desimone:20211223:elastic:0e1caf7, author = {Joe Desimone and Samir Bousseaden}, title = {{Elastic Security uncovers BLISTER malware campaign}}, date = {2021-12-23}, organization = {Elastic}, url = {https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign}, language = {English}, urldate = {2021-12-23} } Elastic Security uncovers BLISTER malware campaign
Blister
Yara Rules
[TLP:WHITE] win_blister_w0 (20211223 | Detects Blister loader.)
rule win_blister_w0 {
    meta:
        author = "Elastic Security"
        description = "Detects Blister loader."
        creation_date = "2021-12-20"
        last_modified = "2021-12-20"
        os = "Windows"
        category_type = "Trojan"
        family = "Blister"
        threat_name = "Windows.Trojan.Blister"
        reference_sample = "0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00"
        source = "https://www.elastic.co/de/blog/elastic-security-uncovers-blister-malware-campaign"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blister"
        malpedia_rule_date = "20211223"
        malpedia_hash = ""
        malpedia_version = "20211223"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $a1 = {8D 45 DC 89 5D EC 50 6A 04 8D 45 F0 50 8D 45 EC 50 6A FF FF D7}
        $a2 = {75 F7 39 4D FC 0F 85 F3 00 00 00 64 A1 30 00 00 00 53 57 89 75}           
condition:
        any of them
}
Download all Yara Rules