In the ever-evolving landscape of cyber threats, BLISTER, a malware loader initially identified by researchers, continues to evolve, posing an ongoing and growing security concern. Recently, researchers reported an updated SOCGHOLISH infection chain that distributes BLISTER, showcasing its persistence and adaptability. Key developments include precision targeting capabilities, evasion of process instrumentation hooks, and the integration of MYTHIC, an open-source Command and Control framework. BLISTER's unique method of embedding malicious code within legitimate applications has contributed to its low detection rates.
BLISTER's latest iterations reveal several notable technical changes. Malicious code continues to be concealed within legitimate libraries, with VLC Media Player being a recent target. A change in hashing algorithms is employed to evade antimalware products reliant on YARA signatures. Configuration retrieval now occurs alongside core code decryption. An important addition is environmental keying, enabling BLISTER to execute exclusively on designated machines by hashing the machine's domain name. A time-based anti-debugging feature and the unhooking of process instrumentation further enhance BLISTER's evasion capabilities. The configuration structure has been updated with new fields, expanding functionality. Researchers have also improved their payload extractor to dissect BLISTER variants.
BLISTER remains a concerning component of the global cybercriminal ecosystem, particularly for financially motivated attacks seeking to infiltrate victim environments while evading detection. Its ongoing development and adaptability demand vigilance from the cybersecurity community. Detection methods should be continually assessed, and security measures should be updated to counter BLISTER's evolving tactics.
The following reports contain further technical details: