SocGholish Infection Chain has a New Ally, Blister (Malware Loader)

A recent update to the malware loader BLISTER is now being utilized as part of SocGholish infection chains to disseminate an open-source command-and-control framework known as Mythic.

1/ #SocGholish #FakeUpdates 👻
Similar to the previous infection https://t.co/OGPKS1qzcm

Download URL: publicccescpolace[.]com
NetSupportRAT C2: 94.158.244[.]118:1203 pic.twitter.com/UGjFDJnfPb

— RussianPanda 🐼 🇺🇦 (@RussianPanda9xx) February 24, 2023

According to a technical report released by Elastic Security Labs researchers at the end of last month, this fresh BLISTER update incorporates a keying feature that enables precise targeting of victim networks and reduces exposure in virtual machine (VM) and sandbox environments.

Elastic Security Labs initially uncovered BLISTER in December 2021, where it served as a conduit for distributing Cobalt Strike and BitRAT payloads on compromised systems.

Do we know the technique?

The utilization of BLISTER alongside SocGholish (also known as FakeUpdates), a JavaScript-based downloader malware, for delivering Mythic was previously revealed by Palo Alto Networks Unit 42 in July 2023.

The Unit 42 Managed Threat Hunting team observed #Mythic being delivered by #Blister and #Socgholish (Socgholish → Blister → Mythic). Mythic using makethumbmoney[.]com on 104.243.33[.]129:443 for its C2 traffic. pic.twitter.com/pnOmBcuUHT

— Unit 42 (@Unit42_Intel) July 27, 2023

Technical analysis at a glance

In these attacks, BLISTER is concealed within a legitimate VLC Media Player library, a maneuver aimed at bypassing security software and gaining entry into victim environments.

When closely monitored, it becomes apparent that the malware is actively maintained, with the authors continually incorporating a range of tactics to evade detection and complicate analysis.

Is the combination deadly?

SocGholish and BLISTER have been jointly employed in various campaigns, with the latter serving as a second-stage loader for distributing Cobalt Strike and LockBit ransomware, as reported by Red Canary and Trend Micro in early 2022.

Elastic noted in April 2023 that BLISTER, as a loader, remains adept at staying beneath the radar, actively employed for loading various malicious software, including clip-bankers, information stealers, trojans, ransomware, and shellcode.

The continuously improving part of Blister includes:

• different injection methods, 
• multiple techniques for defense evasion using anti-debug/anti-analysis features and
• heavy reliance on Windows Native APIs.

Are you ready to counter new malware techniques?

Vigilant surveillance and swift identification helped to achieve such results. Early containment and countermeasures are vital to discover more destructive breaches that compromise systems, exfiltrate data, or unleash ransomware. 

Emerging malware techniques will surface as malicious actors strive to infiltrate additional systems. Companies can shield themselves from such threats using multifaceted detection and response solutions. 

What do we need? 

An XDR(extended detection and response) that automatically correlates information across various security layers, encompassing email, endpoints, servers, cloud workloads, and networks, to thwart attacks through automated safeguards while ensuring no significant incidents escape notice.

What do you do for your secure access to the internet? Let us know in the comments section.