Blister (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.blister (Back to overview)

Blister

aka: COLORFAKE

VTCollection

Elastic observed this loader coming with valid code signatures, being used to deploy secondary payloads in-memory.

References

2023-11-01 ⋅ nccgroup ⋅ Mick Koomen
Popping Blisters for research: An overview of past payloads and exploring recent developments
Blister Cobalt Strike

2023-08-24 ⋅ Elastic ⋅ Daniel Stepanic, Salim Bitam
Revisting BLISTER: New development of the BLISTER loader
Blister

2022-06-13 ⋅ Jorge Testa ⋅ Jorge Testa
Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker

2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker

2022-05-25 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
SocGholish Campaigns and Initial Access Kit
FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-05-09 ⋅ Microsoft Security ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot

2022-05-06 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence
Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity
FAKEUPDATES Blister Cobalt Strike LockBit

2022-05-05 ⋅ Elastic ⋅ Cyril François, Daniel Stepanic, Salim Bitam
BLISTER Loader
Blister

2022-04-05 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Earle Maui Earnshaw, Ian Kenefick, Lucas Silva, Mohamed Fahmy, Ryan Maglaque
Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload (IoCs)
FAKEUPDATES Blister LockBit

2022-04-05 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Earle Earnshaw, Ian Kenefick, Lucas Silva, Mohamed Fahmy, Ryan Maglaque
Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload
Blister LockBit

2022-02-17 ⋅ Cloudsek ⋅ Anandeshwar Unnikrishnan, Hansika Saxena
Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 2)
Blister

2022-01-24 ⋅ Red Canary ⋅ The Red Canary Team
Intelligence Insights: January 2022
Blister Conficker

2022-01-07 ⋅ Cloudsek ⋅ Anandeshwar Unnikrishnan, Deepanjli Paulraj
Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)
Blister

2021-12-23 ⋅ Elastic ⋅ Joe Desimone, Samir Bousseaden
Elastic Security uncovers BLISTER malware campaign
Blister

Yara Rules

[TLP:WHITE] win_blister_auto (20251219 | Detects win.blister.)

rule win_blister_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.blister."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blister"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 8b5d10 56 8b750c 57 33ff 6a02 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   8b5d10               | mov                 ebx, dword ptr [ebp + 0x10]
            //   56                   | push                esi
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   6a02                 | push                2

        $sequence_1 = { 50 c745c03c000000 c745c400020000 c745cce4301717 c745dc05000000 ff15???????? }
            // n = 6, score = 100
            //   50                   | push                eax
            //   c745c03c000000       | mov                 dword ptr [ebp - 0x40], 0x3c
            //   c745c400020000       | mov                 dword ptr [ebp - 0x3c], 0x200
            //   c745cce4301717       | mov                 dword ptr [ebp - 0x34], 0x171730e4
            //   c745dc05000000       | mov                 dword ptr [ebp - 0x24], 5
            //   ff15????????         |                     

        $sequence_2 = { 7507 bf0e000780 eb34 8365f400 ff750c 33c0 }
            // n = 6, score = 100
            //   7507                 | jne                 9
            //   bf0e000780           | mov                 edi, 0x8007000e
            //   eb34                 | jmp                 0x36
            //   8365f400             | and                 dword ptr [ebp - 0xc], 0
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   33c0                 | xor                 eax, eax

        $sequence_3 = { 7d06 33c0 33ff eb03 8b45f4 8945fc }
            // n = 6, score = 100
            //   7d06                 | jge                 8
            //   33c0                 | xor                 eax, eax
            //   33ff                 | xor                 edi, edi
            //   eb03                 | jmp                 5
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_4 = { 50 8d8584fcffff 50 ffb580fcffff 8d856cfcffff ffb578fcffff 50 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d8584fcffff         | lea                 eax, [ebp - 0x37c]
            //   50                   | push                eax
            //   ffb580fcffff         | push                dword ptr [ebp - 0x380]
            //   8d856cfcffff         | lea                 eax, [ebp - 0x394]
            //   ffb578fcffff         | push                dword ptr [ebp - 0x388]
            //   50                   | push                eax

        $sequence_5 = { ff32 ff15???????? 83f8ff 7507 b805400080 eb02 33c0 }
            // n = 7, score = 100
            //   ff32                 | push                dword ptr [edx]
            //   ff15????????         |                     
            //   83f8ff               | cmp                 eax, -1
            //   7507                 | jne                 9
            //   b805400080           | mov                 eax, 0x80004005
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax

        $sequence_6 = { ff7508 6813100000 ff36 ffd7 6a03 58 8945d4 }
            // n = 7, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6813100000           | push                0x1013
            //   ff36                 | push                dword ptr [esi]
            //   ffd7                 | call                edi
            //   6a03                 | push                3
            //   58                   | pop                 eax
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax

        $sequence_7 = { e8???????? 57 8bce 894508 e8???????? 5f 5e }
            // n = 7, score = 100
            //   e8????????           |                     
            //   57                   | push                edi
            //   8bce                 | mov                 ecx, esi
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_8 = { 85f6 7507 b857000780 eb45 832600 6a38 8d45c8 }
            // n = 7, score = 100
            //   85f6                 | test                esi, esi
            //   7507                 | jne                 9
            //   b857000780           | mov                 eax, 0x80070057
            //   eb45                 | jmp                 0x47
            //   832600               | and                 dword ptr [esi], 0
            //   6a38                 | push                0x38
            //   8d45c8               | lea                 eax, [ebp - 0x38]

        $sequence_9 = { e8???????? 8bce e8???????? 8bd8 85db 7d0f }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   7d0f                 | jge                 0x11

    condition:
        7 of them and filesize < 1822720
}

[TLP:WHITE] win_blister_w0 (20211223 | Detects Blister loader.)

rule win_blister_w0 {
    meta:
        author = "Elastic Security"
        description = "Detects Blister loader."
        creation_date = "2021-12-20"
        last_modified = "2021-12-20"
        os = "Windows"
        category_type = "Trojan"
        family = "Blister"
        threat_name = "Windows.Trojan.Blister"
        reference_sample = "0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00"
        source = "https://www.elastic.co/de/blog/elastic-security-uncovers-blister-malware-campaign"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blister"
        malpedia_rule_date = "20211223"
        malpedia_hash = ""
        malpedia_version = "20211223"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $a1 = {8D 45 DC 89 5D EC 50 6A 04 8D 45 F0 50 8D 45 EC 50 6A FF FF D7}
        $a2 = {75 F7 39 4D FC 0F 85 F3 00 00 00 64 A1 30 00 00 00 53 57 89 75}           
condition:
        any of them
}

Download all Yara Rules

Blister Propose Change

References

Yara Rules

Blister