BlisterLoader: https://pinboard.in/u:droberson/t:blister/

This malware is signed by Blist LLC:

daniel@wildcat ~ % osslsigncode verify /home/daniel/Downloads/blisterloader/294c710f4074b37ade714c83b6b7bf722a46aef61c02ba6543de5d59edc97b60
Current PE checksum   : 0044EF4E
Calculated PE checksum: 0044EF4E

Message digest algorithm  : SHA1
Current message digest    : 2D7D930EC9A5CB1BB78F75CCB5E5F0825456A794
Calculated message digest : 2D7D930EC9A5CB1BB78F75CCB5E5F0825456A794

Signature verification: ok

Number of signers: 1
	Signer #0:
		Subject: /C=RU/ST=Tatarstan, Respublika/O=Blist LLC/CN=Blist LLC
		Issuer : /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing CA R36
		Serial : 2F4A25D52B16EB4C9DFE71EBBD8121BB
...snip...

I found this blog post by Nextron Systems showing how to use YARA’s pe module to find these certificates: https://www.nextron-systems.com/2018/11/01/short-tutorial-how-to-create-a-yara-rule-for-a-compromised-certificate/

rule blisterloader_authenticode
{
	meta:
		description = "BlisterLoader samples are signed as 'Blist LLC'"
		reference = "https://www.bitdefender.com/blog/hotforsecurity/stealthy-blister-malware-strain-detected-on-windows-systems/"

	condition:
		uint16(0) == 0x5a4d and
		for any i in (0 .. pe.number_of_signatures) : (
			pe.signatures[i].subject contains "Blist LLC"
		)
}

Several of the samples I was able to obtain shared PE file timestamps. I created this rule to find additional samples matching these timestamps:

rule blisterloader_timestamp
{
	meta:
		description = "Common PE timestamps for BlisterLoader samples"

	condition:
		pe.timestamp == 1247533602 or
		pe.timestamp == 1544912681 or
		pe.timestamp == 1623514439 or
		pe.timestamp == 1290254872
}

---

YARA Rules Index