Full Report
Authored by Mick Koomen Summary Blister is a piece of malware that loads a payload embedded inside it. We provide an overview of payloads dropped by the Blister loader based on 137 unpacked samples from the past one and a half years and take a look at recent activity of Blister. The overview shows that … Continue reading Popping Blisters for research: An overview of past payloads and exploring recent developments →
Analysis Summary
# Tool/Technique: Blister Loader
## Overview
Blister is a malware loader designed to execute an embedded payload. Analysis of 137 unpacked samples over the past year and a half shows shifts in its operation, including a transition from using Cobalt Strike beacons to Mythic agents as primary payloads. Recent versions incorporate environmental keying for targeted deployment and added obfuscation to the initial loader stage for increased evasion.
## Technical Details
- Type: Malware family (Loader)
- Platform: Likely Windows (Implied by observed usage and payload types like Cobalt Strike/Mythic agents, and x86-64 instruction set usage starting in 2022).
- Capabilities: Loads an embedded internal payload; supports environmental keying for targeted attacks; recent versions feature first-stage obfuscation.
- First Seen: December 2021 (documented by Elastic Security).
## MITRE ATT&CK Mapping
(Note: Specific attack techniques are inferred based on the nature of a loader and observed payloads/delivery methods.)
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - Malicious File
- T1055 - Process Injection (Inferred, typical for loaders delivering secondary stage malware)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Recent development noted: Obfuscation on the first stage)
## Functionality
### Core Capabilities
- Loads and executes a secondary payload embedded within itself.
- Observed payloads include Cobalt Strike beacons and Mythic agents.
- In its initial campaign, it reportedly dropped Cobalt Strike and BitRat.
### Advanced Features
- **Environmental Keying:** Since an update in August 2022, most samples include an optional domain hash for environmental keying, enabling attackers to restrict execution to specific environments.
- **Obfuscation:** Recent development (August 2023 activity) includes added obfuscation to the first stage of the loader component injected into a legitimate executable.
- **Code Signing Masking:** Early versions utilized valid code signatures referencing "Blist LLC" to masquerade as legitimate executables.
- **Architecture Focus:** Since 2022, it has exclusively used the x86-64 instruction set.
## Indicators of Compromise
(Note: Specific IoCs are descriptive, based on observations mentioned in the text, but detailed hashes/network artifacts are not fully provided outside the table snippet.)
- File Hashes: A table of hashes for Blister samples and payloads (Cobalt Strike, Putty) was referenced (e.g., `f318374a80fadf201cc3e34a887716708635294031b1b` associated with Cobalt Strike).
- File Names: N/A (No common file names specified, assumed to vary or be disguised).
- Registry Keys: N/A
- Network Indicators: N/A (The feature is "environmental keying" using a domain hash, but specific active domains were not listed as defanged IoCs).
- Behavioral Indicators: Injects its loader component into a legitimate executable; delivers secondary payloads like Cobalt Strike or Mythic agents.
## Associated Threat Actors
- **Evil Corp:** Previously linked to activity using Blister.
- **SocGholish (UNC2562 variant):** Observed using Blister frequently, sometimes as a follow-up infection following initial SocGholish infection methods (such as malicious installers).
## Detection Methods
- **YARA Rules:** The article mentions providing YARA rules to help analyze the Mythic agent and the packer observed alongside it.
- **Signature/Behavioral:** Detection relies on identifying the Blister packing technique or the known deployment chains (e.g., following a SocGholish infection).
## Mitigation Strategies
- **Monitor for Unexpected Payloads:** Be vigilant for unexpected delivery of C2 frameworks like Cobalt Strike and Mythic agents.
- **Environment Key Validation:** If possible, analyze samples for environmental key checks to understand targeting restrictions.
- **Endpoint Detection:** Utilize endpoint solutions capable of detecting process injection stemming from suspicious initial executables.
## Related Tools/Techniques
- **Payloads:** Cobalt Strike, Mythic Agent, BitRat.
- **Delivery Chain:** Often follows infections associated with SocGholish.
- **Technique:** Use of valid (though likely forged) code signatures for initial masquerading.