Update loader win 10 sleep4/10/2024 ![]() The deciphering routine begins with a loop based sleep to evade detection:īLISTER then enumerates and hashes each export of ntdll, comparing export names against loaded module names searching specifically for the NtProtectVirtualMemory API:įinally, it looks for a memory region of 100,832 bytes by searching for a specific memory pattern, beginning its search at the return address and leading us in the. If we compare one of these malicious loaders to the original DLL they masquerade as, we can see where the patch was made, the function no longer exists:īLISTER’s second stage is ciphered in its resource section (.rsrc). The image below demonstrates how BLISTER’s DLL is modified, noting that the export start is patched with a function call (line 17) to the malware entrypoint. Rundll32.exe "BLISTER.dll,LaunchColorCpl" ![]() The threat actor, with a previously achieved foothold, uses the Windows built-in rundll32.exe utility to load BLISTER by calling the export function LaunchColorCpl : Rundll32 execution arguments Retrieving configuration and packed payloadĭuring the first stage of the execution flow, BLISTER is embedded in a legitimate version of the colorui.dll library.The execution flow consists of the following phases: This sample was also used to develop the initial BLISTER family YARA signature, the configuration extraction script, and evaluate tools against against unknown x32 and 圆4 BLISTER samples. In this post, we will explain how BLISTER continues to operate clandestinely, highlight the loader’s core capabilities (injection options, obfuscation, and anti-analysis tricks) as well as provide a configuration extractor that can be used to dump BLISTER embedded payloads.Ĭonsider the following sample representative of BLISTER for purposes of this analysis. Our research shows that BLISTER is actively developed and has been linked in public reporting to LockBit ransomware and the SocGholish framework in addition, Elastic has also observed BLISTER in relation to the following families: Amadey, BitRAT, Clipbanker, Cobalt Strike, Remcos, and Raccoon along with others. Combined with code-signing defense evasion, BLISTER appears designed with security technologies in mind. LGPLed libintl for Windows NT/2000/XP/Vista/7 and Windows 95/98/MEĭue to the way malicious code is embedded in an otherwise benign application, BLISTER may be challenging for technologies that rely on some forms of machine learning. During the past year, Elastic Security has observed the following legitimate DLL’s patched by BLISTER malware:Ĭhromium Embedded Framework (CEF) Dynamic Link Library This family continues to remain largely unnoticed, with low detection rates on new samples.Ī distinguishing characteristic of BLISTER’s author is their method of tampering with legitimate DLLs to bypass static analysis. ![]() The Elastic Security team has continually been monitoring the BLISTER loader since our initial release at the end of last year. This shows that this is an actively developed tool and the authors are watching defensive countermeasuresįor information on the BLISTER malware loader and campaign observations, check out our blog post and configuration extractor detailing this: 40 days after the initial reporting on the BLISTER loader by Elastic Security, we observed a change in the binary to include additional architectures.Elastic Security is providing a configuration extractor that can be used to identify key elements of the malware and dump the embedded payload for further analysis.In-depth analysis shows heavy reliance of Windows Native API’s, several injection capabilities, multiple techniques to evade detection, and counter static/dynamic analysis.BLISTER is a loader that continues to stay under the radar, actively being used to load a variety of malware including clipbankers, information stealers, trojans, ransomware, and shellcode.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |