BLISTER is now almost unkillable and more accurate.
According to a report from Elastic Security Labs, an updated version of the BLISTER malware downloader is being used as part of the SocGholish infection chains to distribute an open source command and control (C2) infrastructure called Mythic . According to Elastic Security Labs, the BLISTER update includes a key feature that allows you to accurately target victims ' networks and makes malware less visible in virtual machine and sandbox environments.
A new hashing algorithm has been implemented in BLISTER. Previously, simple bit-shifting methods were used, but now XOR and multiplication operations are added. According to Elastic experts, such changes will help attackers bypass security mechanisms that rely on YARA signatures. Moreover, the downloader is hidden in a legitimate application-VLC Media Player to avoid detection.
Another interesting feature is the selective activation of malicious code only on certain machines, which is possible thanks to special notes in the code configuration. The domain name is extracted via the Windows API. A more thorough analysis of the malware shows that it is actively supported, and the authors of BLISTER use many methods that allow them to remain undetected and complicate the analysis.
BLISTER was first discovered by Elastic Security Labs in December 2021, serving as a channel for distributing the Cobalt Strike and BitRAT payloads on compromised systems. Both SocGholish and BLISTER were used simultaneously in several campaigns, with BLISTER being used as a second-stage downloader for distributing the Cobalt Strike and LockBit ransomware programs.
BLISTER is a downloader that continues to remain out of sight and is actively used to download various malicious programs, including ClipBanker, infostilers, Trojans, and ransomware.
According to a report from Elastic Security Labs, an updated version of the BLISTER malware downloader is being used as part of the SocGholish infection chains to distribute an open source command and control (C2) infrastructure called Mythic . According to Elastic Security Labs, the BLISTER update includes a key feature that allows you to accurately target victims ' networks and makes malware less visible in virtual machine and sandbox environments.
A new hashing algorithm has been implemented in BLISTER. Previously, simple bit-shifting methods were used, but now XOR and multiplication operations are added. According to Elastic experts, such changes will help attackers bypass security mechanisms that rely on YARA signatures. Moreover, the downloader is hidden in a legitimate application-VLC Media Player to avoid detection.
Another interesting feature is the selective activation of malicious code only on certain machines, which is possible thanks to special notes in the code configuration. The domain name is extracted via the Windows API. A more thorough analysis of the malware shows that it is actively supported, and the authors of BLISTER use many methods that allow them to remain undetected and complicate the analysis.
BLISTER was first discovered by Elastic Security Labs in December 2021, serving as a channel for distributing the Cobalt Strike and BitRAT payloads on compromised systems. Both SocGholish and BLISTER were used simultaneously in several campaigns, with BLISTER being used as a second-stage downloader for distributing the Cobalt Strike and LockBit ransomware programs.
BLISTER is a downloader that continues to remain out of sight and is actively used to download various malicious programs, including ClipBanker, infostilers, Trojans, and ransomware.
