Cyber Security Threat Summary:
An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic. ‘New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments,’ Elastic Security Labs researchers Salim Bitam and Daniel Stepanic said in a technical report published late last month. BLISTER was first uncovered by the company in December 2021 acting as a conduit to distribute Cobalt Strike and BitRAT payloads on compromised systems. The use of the malware alongside SocGholish (aka FakeUpdates), a JavaScript-based downloader malware, to deliver Mythic was previously disclosed by Palo Alto Networks Unit 42 in July 2023. In these attacks, BLISTER is embedded within a legitimate VLC Media Player library in an attempt to get around security software and infiltrate victim environments” (The Hacker News, 2023).

Security Officer Comments:
The latest capability of BLISTER to exclusively execute on designated machines will enable threat actors to launch more targeted attacks and refrain from infecting unintended machines including those set up by malware researchers. One of the key differences between the previous strains and the latest variant is that the authors have adopted a different hashing algorithm in the core and in the loader part of the BLISTER. “While the previous version used simple logic to shift bytes, this new version includes a hard-coded seed with XOR and multiplication operations,” noted researchers. With the authors employing a different algorithm, this will enable the malware to evade detection from antivirus solutions.

Suggested Correction(s):
Elastic Security Labs has published Indicators of compromise and YARA rules which can help defenders identify BLISTER activity:
https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader

Link(s):
https://thehackernews.com/2023/09/new-blister-malware-update-fuelling.html