New BLISTER Malware Update Fuels Stealth Network Infiltration
An updated version of a malware loader known as BLISTER is used as part of SocGholish infection chains to distribute an open source command and control (C2) framework called Mythical.
“The new BLISTER update includes seizure functionality that enables precise targeting of victim networks and reduces exposure in VM/sandbox environments,” Salim Bitam and Daniel Stepanic, researchers at Elastic Security Labs. said in a technical report published late last month.
BLISTER was first discovered by the company in December 2021, acting as a conduit to distribute Cobalt Strike and BitRAT payloads to compromised systems.
Using the malware alongside SocGholish (aka FakeUpdates), a JavaScript-based downloader malware, to spread Mythic was previously disclosed by Palo Alto Networks Unit 42 in July 2023.
In these attacks, BLISTER is integrated into a legitimate VLC Media Player library to attempt to bypass security software and infiltrate victims’ environments.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Find out why identity is the new endpoint. Reserve your place now.
SocGholish and BLISTER have been used in tandem across multiple campaigns, with the latter used as a second-stage loader to distribute Cobalt Strike and LockBit ransomware, as evidenced by Red Canary And Micro Trend early 2022.
Further analysis of the malware shows that it is actively maintained, with malware authors incorporating a multitude of techniques to go unnoticed and complicate analysis.
“BLISTER is a loader that continues to go unnoticed, being actively used to load a variety of malware, including clipbankers, information stealers, Trojans, ransomware and shellcode,” Elastic said. note in April 2023.
