🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!
Schedule a DemoThe blister is a code-signed malware that drops a malicious DLL file on the victim’s system, which is then executed by the loader via rundll32.exe, resulting in the deployment of a RAT/ C2 beacon, thus allowing unauthorized access to the target system over the internet. Blister Malware campaigns have been active since 15 September 2021.
Part I of CloudSEK’s analysis provides a detailed understanding of how the loader functions. Part 2 will delve into the details of this campaign’s second stage, which is the .dll payload, and its internal working.
As discussed in Part 1, the Blister dropper drops the malicious .dll
file in the Temp directory
of the user, inside a newly created folder. This malicious .dll
then carries out the second stage of the campaign, in which a RAT/ agent is deployed on the system to gain unauthorized access and steal data.
LaunchColorCpl,
which is one of the functions exported by the .dll, via rundll32.exe.
LaunchColorCpl
retrieves the staging code from the resource section of the PE file. This staging code is protected by a simple XOR encoding scheme.kernel32.759F9010
i.e the Sleep function. This value (927C0) translates to “600000” in decimal. Since the Sleep API takes arguments in milliseconds (ms), the 600000 ms get converted to 10 minutes.In general, process hollowing allows an attacker to change the content of a legitimate process from genuine code to malicious code before it is executed by carving out the code logic within the target process.
Rundll32.exe
is resumed via NtResumeThread
. Then the Rundll32.exe
process starts executing the malicious code hollowed into it by the malware.NtTerminateProcess
.C:\Users\<username>\AppData\Roaming\Microsft\Windows\Start Menu\Startup
directory. explorer.exe
executes any file in the Startup
folder. As a result, when the user signs into the account, following the boot process, the malware runs as a child process of explorer.exe
. C:\ProgramData\proamingsGames\proamingsGames.dll,LaunchColorCpl
. Here, the malware copies the Rundll32.exe
as proamingsGames.exe
and the malicious .dll (initially into C:\ProgramData\proamingsGames directory
) is dropped in the Temp
folder. .dll
through a renamed instance of Rundll32.exe
.Given that threat actors are actively using valid code-signing certificates in Windows systems, to avoid detection by antivirus software, it is essential for network and endpoint security products to be updated with the malwares’ latest Indicators of Compromise (IoCs). The latest IoCs for the Blister Malware are enumerated in Part 1 of the technical analysis.
Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.
Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.
A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 2)
The blister is a code-signed malware that drops a malicious DLL file on the victim’s system, which is then executed by the loader via rundll32.exe, resulting in the deployment of a RAT/ C2 beacon, thus allowing unauthorized access to the target system over the internet. Blister Malware campaigns have been active since 15 September 2021.
Part I of CloudSEK’s analysis provides a detailed understanding of how the loader functions. Part 2 will delve into the details of this campaign’s second stage, which is the .dll payload, and its internal working.
As discussed in Part 1, the Blister dropper drops the malicious .dll
file in the Temp directory
of the user, inside a newly created folder. This malicious .dll
then carries out the second stage of the campaign, in which a RAT/ agent is deployed on the system to gain unauthorized access and steal data.
LaunchColorCpl,
which is one of the functions exported by the .dll, via rundll32.exe.
LaunchColorCpl
retrieves the staging code from the resource section of the PE file. This staging code is protected by a simple XOR encoding scheme.kernel32.759F9010
i.e the Sleep function. This value (927C0) translates to “600000” in decimal. Since the Sleep API takes arguments in milliseconds (ms), the 600000 ms get converted to 10 minutes.In general, process hollowing allows an attacker to change the content of a legitimate process from genuine code to malicious code before it is executed by carving out the code logic within the target process.
Rundll32.exe
is resumed via NtResumeThread
. Then the Rundll32.exe
process starts executing the malicious code hollowed into it by the malware.NtTerminateProcess
.C:\Users\<username>\AppData\Roaming\Microsft\Windows\Start Menu\Startup
directory. explorer.exe
executes any file in the Startup
folder. As a result, when the user signs into the account, following the boot process, the malware runs as a child process of explorer.exe
. C:\ProgramData\proamingsGames\proamingsGames.dll,LaunchColorCpl
. Here, the malware copies the Rundll32.exe
as proamingsGames.exe
and the malicious .dll (initially into C:\ProgramData\proamingsGames directory
) is dropped in the Temp
folder. .dll
through a renamed instance of Rundll32.exe
.Given that threat actors are actively using valid code-signing certificates in Windows systems, to avoid detection by antivirus software, it is essential for network and endpoint security products to be updated with the malwares’ latest Indicators of Compromise (IoCs). The latest IoCs for the Blister Malware are enumerated in Part 1 of the technical analysis.