“In the ongoing SocGholish infection chains, a revised BLISTER malware loader is now deployed to distribute Mythic, an open-source command-and-control (C2) framework.
Elastic Security Labs researchers Salim Bitam and Daniel Stepanic noted in a recent technical report that the latest BLISTER update introduces a keying feature, enabling precise targeting of victim networks and reducing exposure within VM/sandbox environments.
“The company initially discovered BLISTER in December 2021, utilizing it as a conduit for distributing Cobalt Strike and BitRAT payloads on compromised systems.”
“The integration of BLISTER malware with SocGholish (also known as FakeUpdates) for the distribution of Mythic was first reported by Palo Alto Networks Unit 42 in July 2023.
In these attacks, BLISTER is concealed within a genuine VLC Media Player library, a tactic employed to circumvent security software and infiltrate victim environments.”
“SocGholish and BLISTER have frequently appeared in tandem within multiple campaigns. The latter serves as a second-stage loader responsible for distributing Cobalt Strike and LockBit ransomware, as reported by Red Canary and Trend Micro in early 2022.
A deeper examination of the malware reveals ongoing maintenance efforts by its authors. They consistently implement a range of techniques to evade detection and complicate analysis.
Elastic, in its April 2023 report, emphasized that BLISTER remains an active loader, proficiently used to deploy various types of malware, including clipbankers, information stealers, trojans, ransomware, and shellcode, while maintaining a low profile.”