BLUELIGHT

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
The BLUELIGHT malware, first observed in early 2021, was used as the final payload in a multistage attack. This attack involved a watering-hole assault on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor. The attack process included multiple components like shellcode leading to the BLUELIGHT backdoor, which was reported by cybersecurity firms Volexity and Kaspersky. The malware family uses different cloud providers to facilitate Command and Control (C2) operations. Once authenticated, BLUELIGHT creates a new subdirectory in the OneDrive app folder and populates it with several subdirectories used by the C2 protocol. In our analysis of the attack, we discovered through ESET telemetry a second, more sophisticated backdoor deployed on selected victims via BLUELIGHT, named Dolphin. While BLUELIGHT performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against select victims. It is likely that BLUELIGHT is used as a secondary payload following successful delivery of Cobalt Strike, which was used as an initial payload in both exploitation cases highlighted in this report. Post-Bluelight, Backdoor.Graphon was used by the Harvester group in a nation-state-backed espionage operation against organizations in southern Asia. Hackers have been known to abuse Microsoft Graph for command-and-control via several different Microsoft cloud services. Furthermore, North Korean hackers targeted a trading company linked to Russia using a novel phishing attack chain that culminated in the delivery of RokRAT (aka BlueLight) malware. These instances underscore the ongoing attempts by threat actors to leverage innovative custom malware like BLUELIGHT, exploiting C2 mechanisms that are unlikely to be detected by many solutions.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
ROKRAT
2
RokRAT is a sophisticated malware that has been used by the cyber-espionage group ScarCruft, primarily to target South Korean media and research organizations. The malware is typically delivered via phishing emails with ZIP file attachments containing LNK files disguised as Word documents. However,
Dolphin
2
Dolphin is a malicious software (malware) that was reportedly used by an unidentified group against South Korea in December 2022. The malware, named after the codenames of Xerox PARC's range of workstations which all began with the letter D, including Dolphin, Dorado, Dicentra, and others, infiltrat
backdoor.graphon
1
None
DOGCALL
1
Dogcall, also known as ROKRAT, is a remote access Trojan (RAT) malware first reported by Talos in April 2017. It has consistently been attributed to the Advanced Persistent Threat (APT37) group, also known as Reaper. The malware uses third-party hosting services for data upload and command acceptanc
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Payload
Exploit
Malware
exploitation
Reconnaissance
Windows
Exploits
Shellcode
Phishing
Volexity
Microsoft
Cobalt Strike
Backdoor
Downloader
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Bluelight MalwareUnspecified
1
The Bluelight malware is a harmful software program designed to exploit and damage computer systems. It was identified by Volexity in a recent investigation, where it was found being delivered to a victim alongside another malware, RokRAT. The Bluelight malware infiltrates systems through suspicious
AmadeyUnspecified
1
Amadey is a malicious software (malware) that has been found to be used in conjunction with other malware such as Remcos, GuLoader, and Formbook. Analysis of the infection chains revealed that the individual behind the sales of Remcos and GuLoader also uses Amadey and Formbook, using GuLoader as a p
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ScarCruftUnspecified
2
ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Int
APT37Unspecified
1
APT37, also known as ScarCruft, Reaper, or Group123, is a threat actor suspected to be linked to North Korea. It primarily targets South Korea but has also extended its activities to Japan, Vietnam, and the Middle East, focusing on various industry verticals such as chemicals, electronics, manufactu
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the BLUELIGHT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
3 months ago
Microsoft Graph API Emerges as a Top Attacker Tool to Plot Data Theft
CERT-EU
9 months ago
Lazarus Group Targeting Defense Experts with Fake Interviews via Trojanized VNC Apps
CERT-EU
9 months ago
APT trends report Q3 2023
MITRE
a year ago
North Korean APT InkySquid Infects Victims Using Browser Exploits
MITRE
a year ago
North Korean BLUELIGHT Special: InkySquid Deploys RokRAT
ESET
a year ago
Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin | WeLiveSecurity
CERT-EU
a year ago
North Korea's ScarCruft Deploys RokRAT Malware via LNK File Infection Chains
CERT-EU
a year ago
Северокорейские хакеры похищают данные через MP3-файлы