100 Days of YARA – Day 55: BlisterLoader

BlisterLoader: https://pinboard.in/u:droberson/t:blister/

This malware is signed by Blist LLC:

daniel@wildcat ~ % osslsigncode verify /home/daniel/Downloads/blisterloader/294c710f4074b37ade714c83b6b7bf722a46aef61c02ba6543de5d59edc97b60
Current PE checksum   : 0044EF4E
Calculated PE checksum: 0044EF4E

Message digest algorithm  : SHA1
Current message digest    : 2D7D930EC9A5CB1BB78F75CCB5E5F0825456A794
Calculated message digest : 2D7D930EC9A5CB1BB78F75CCB5E5F0825456A794

Signature verification: ok

Number of signers: 1
	Signer #0:
		Subject: /C=RU/ST=Tatarstan, Respublika/O=Blist LLC/CN=Blist LLC
		Issuer : /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing CA R36
		Serial : 2F4A25D52B16EB4C9DFE71EBBD8121BB

I found this blog post by Nextron Systems showing how to use YARA’s pe module to find these certificates: https://www.nextron-systems.com/2018/11/01/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate/

rule blisterloader_authenticode
		description = "BlisterLoader samples are signed as 'Blist LLC'"
		reference = "https://www.bitdefender.com/blog/hotforsecurity/stealthy-blister-malware-strain-detected-on-windows-systems/"

		uint16(0) == 0x5a4d and
		for any i in (0 .. pe.number_of_signatures) : (
			pe.signatures[i].subject contains "Blist LLC"

Several of the samples I was able to obtain shared PE file timestamps. I created this rule to find additional samples matching these timestamps:

rule blisterloader_timestamp
		description = "Common PE timestamps for BlisterLoader samples"

		pe.timestamp == 1247533602 or
		pe.timestamp == 1544912681 or
		pe.timestamp == 1623514439 or
		pe.timestamp == 1290254872

YARA Rules Index

One thought on “100 Days of YARA – Day 55: BlisterLoader

  1. Pingback: Week 07 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s