BLUELIGHT

The BLUELIGHT malware, first observed in early 2021, was used as the final payload in a multistage attack. This attack involved a watering-hole assault on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor. The attack process included multiple components like shellcode leading to the BLUELIGHT backdoor, which was reported by cybersecurity firms Volexity and Kaspersky. The malware family uses different cloud providers to facilitate Command and Control (C2) operations. Once authenticated, BLUELIGHT creates a new subdirectory in the OneDrive app folder and populates it with several subdirectories used by the C2 protocol. In our analysis of the attack, we discovered through ESET telemetry a second, more sophisticated backdoor deployed on selected victims via BLUELIGHT, named Dolphin. While BLUELIGHT performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against select victims. It is likely that BLUELIGHT is used as a secondary payload following successful delivery of Cobalt Strike, which was used as an initial payload in both exploitation cases highlighted in this report. Post-Bluelight, Backdoor.Graphon was used by the Harvester group in a nation-state-backed espionage operation against organizations in southern Asia. Hackers have been known to abuse Microsoft Graph for command-and-control via several different Microsoft cloud services. Furthermore, North Korean hackers targeted a trading company linked to Russia using a novel phishing attack chain that culminated in the delivery of RokRAT (aka BlueLight) malware. These instances underscore the ongoing attempts by threat actors to leverage innovative custom malware like BLUELIGHT, exploiting C2 mechanisms that are unlikely to be detected by many solutions.