BLUELIGHT

Malware updated 23 days ago (2024-11-29T14:28:21.044Z)
Download STIX
Preview STIX
The BLUELIGHT malware, first observed in early 2021, was used as the final payload in a multistage attack. This attack involved a watering-hole assault on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor. The attack process included multiple components like shellcode leading to the BLUELIGHT backdoor, which was reported by cybersecurity firms Volexity and Kaspersky. The malware family uses different cloud providers to facilitate Command and Control (C2) operations. Once authenticated, BLUELIGHT creates a new subdirectory in the OneDrive app folder and populates it with several subdirectories used by the C2 protocol. In our analysis of the attack, we discovered through ESET telemetry a second, more sophisticated backdoor deployed on selected victims via BLUELIGHT, named Dolphin. While BLUELIGHT performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against select victims. It is likely that BLUELIGHT is used as a secondary payload following successful delivery of Cobalt Strike, which was used as an initial payload in both exploitation cases highlighted in this report. Post-Bluelight, Backdoor.Graphon was used by the Harvester group in a nation-state-backed espionage operation against organizations in southern Asia. Hackers have been known to abuse Microsoft Graph for command-and-control via several different Microsoft cloud services. Furthermore, North Korean hackers targeted a trading company linked to Russia using a novel phishing attack chain that culminated in the delivery of RokRAT (aka BlueLight) malware. These instances underscore the ongoing attempts by threat actors to leverage innovative custom malware like BLUELIGHT, exploiting C2 mechanisms that are unlikely to be detected by many solutions.
Description last updated: 2024-05-02T13:15:47.099Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Dolphin is a possible alias for BLUELIGHT. Dolphin is a malicious software (malware) that was reportedly used by an unidentified group against South Korea in December 2022. The malware, named after the codenames of Xerox PARC's range of workstations which all began with the letter D, including Dolphin, Dorado, Dicentra, and others, infiltrat
2
ROKRAT is a possible alias for BLUELIGHT. RokRAT is a form of malware that has been utilized in cyber-espionage campaigns primarily targeting South Korean entities. It is typically delivered via phishing emails containing ZIP file attachments, which contain LNK files disguised as Word documents. When the LNK file is activated, a PowerShell
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Payload
exploitation
Reconnaissance
Exploit
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The ScarCruft Threat Actor is associated with BLUELIGHT. ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean state-sponsored threat actor known for targeting high-value individuals and organizations to further North Korea's geopolitical objectives. This group has shown its agility in adopting new malware delivery meUnspecified
2