Full Report
Authored by Mick Koomen Summary Blister is a piece of malware that loads a payload embedded inside it. We provide an overview of payloads dropped by the Blister loader based on 137 unpacked samples from the past one and a half years and take a look at recent activity of Blister. The overview shows that … Continue reading Popping Blisters for research: An overview of past payloads and exploring recent developments →
Analysis Summary
# Tool/Technique: Blister Loader
## Overview
Blister is a sophisticated malware loader (packer) designed to execute secondary payloads in-memory to evade traditional security solutions. It is characterized by its use of legitimate-looking, code-signed executables to hide malicious functionality. Since its appearance in late 2021, it has transitioned from a broad delivery tool to a targeted loader featuring environmental keying and advanced obfuscation.
## Technical Details
- **Type**: Malware Loader
- **Platform**: Windows (x86 and x64; primarily x64 since 2022)
- **Capabilities**: In-memory payload injection, environmental keying (domain hashing), obfuscation, and code signing.
- **First Seen**: December 2021 (reported by Elastic Security)
## MITRE ATT&CK Mapping
- **[TA0002 - Execution]**
- [T1059] - Command and Scripting Interpreter
- **[TA0005 - Defense Evasion]**
- [T1027] - Obfuscated Files or Information
- [T1622] - Debugger Evasion
- [T1553.002] - Subvert Trust Controls: Code Signing
- [T1497.001] - Virtualization/Sandbox Evasion: System Checks (Environmental Keying)
- **[TA0011 - Command and Control]**
- [T1071.001] - Application Layer Protocol: Web Protocols
## Functionality
### Core Capabilities
- **Signed Executables**: Historically used valid code signatures (e.g., "Blist LLC") to masquerade as legitimate software.
- **Payload Injection**: Unpacks and executes an embedded payload (often encrypted) directly into the memory of a legitimate process.
- **Persistence Mechanism**: Often deployed as a follow-up to initial access vectors like SocGholish.
### Advanced Features
- **Environmental Keying**: Employs an optional domain hash check. The loader will only decrypt and execute the payload if the host is joined to a specific, pre-defined target domain.
- **Stage-1 Obfuscation**: Recent variants (August 2023) feature heavily obfuscated first-stage loaders to prevent static analysis and signature-based detection.
- **Payload Diversity**: Historically dropped **Cobalt Strike** and **BitRat**, but recently shifted toward custom **Mythic agents** and specialized red teaming frameworks.
## Indicators of Compromise
### File Hashes (Samples)
- **SHA256**: 96823bb6befe5899739bd69ab00a6b4ae1256fd586159968301a4a69d675a5ec (Cobalt Strike)
- **SHA256**: 315217b860ab46c6205b36e49dfaa927545b90037373279723c3dec165dfaf11 (Cobalt Strike)
- **SHA256**: 91446c6d3c11074e6ff0ff42df825f9ffd5f852c2e6532d4b9d8de340fa32fb8 (Test Application)
- **SHA256**: 49925637250438b05d3aebaac70bb180a0825ec4272fbe74c6fecb5e085bcf10 (Cobalt Strike)
### File Names
- Often mimics legitimate tools (e.g., `putty.exe`, `Test application`)
### Behavioral Indicators
- Process injection into legitimate system processes.
- Large, high-entropy resource sections within small executables.
- Unusual domain name resolution attempts used for environmental keying checks.
## Associated Threat Actors
- **Evil Corp (Indrik Spider)**: Activity linked to infrastructure and deployment patterns.
- **SocGholish (Exotic Lily / TA554)**: Blister is frequently observed as a secondary payload delivered via SocGholish JavaScript infections.
## Detection Methods
- **Behavioral detection**: Monitoring for "living-off-the-land" binaries performing unusual memory allocations or process hollowing.
- **YARA**: Identification based on unique decryption loops and resource naming conventions (Fox-IT provides specialized YARA rules for both the loader and Mythic agents).
- **Static Analysis**: Extracting and hashing target domain IDs from the Blister configuration section to identify targeted campaigns.
## Mitigation Strategies
- **Certificate Validation**: Verify and strictly monitor the use of self-signed or unusual third-party code-signing certificates.
- **Endpoint Detection & Response (EDR)**: Enable memory scanning and behavioral monitoring to identify in-memory execution of payloads.
- **Hardening**: Restrict script execution (e.g., through PowerShell Constrained Language Mode) to mitigate the SocGholish vector that often precedes Blister.
## Related Tools/Techniques
- **SocGholish**: The primary delivery mechanism.
- **Mythic**: The C2 framework currently favored for embedded payloads.
- **Cobalt Strike**: Historically the most common payload delivered by the loader.