Bluelight Malware

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
The Bluelight malware is a harmful software program designed to exploit and damage computer systems. It was identified by Volexity in a recent investigation, where it was found being delivered to a victim alongside another malware, RokRAT. The Bluelight malware infiltrates systems through suspicious downloads, emails, or websites, often without user knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The delivery of this malware is notably stealthy, utilizing different cloud providers to facilitate command and control (C2), making network-based detection significantly more challenging. In the incident described, Volexity tied the newly observed Bluelight malware family to Advanced Persistent Threat 37 (APT37), based on the use of RokRAT malware. Both Bluelight and RokRAT were deployed sequentially during the intrusion, indicating a coordinated attack strategy. The effectiveness of these techniques was underscored by the fact that none detected the presence of either the RokRAT or Bluelight malware families, demonstrating their ability to evade detection successfully. The Bluelight malware process involves multiple shellcode stages before ultimately executing the Windows executable payload without any disk involvement. This method further complicates detection and mitigation efforts, as it deploys the well-known RokRat or Bluelight malware directly into memory. As such, organizations are advised to stay vigilant and maintain robust cybersecurity measures to protect against such sophisticated threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
ROKRAT
2
RokRAT is a sophisticated malware that has been used by the cyber-espionage group ScarCruft, primarily to target South Korean media and research organizations. The malware is typically delivered via phishing emails with ZIP file attachments containing LNK files disguised as Word documents. However,
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Payload
Volexity
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BLUELIGHTUnspecified
1
The BLUELIGHT malware, first observed in early 2021, was used as the final payload in a multistage attack. This attack involved a watering-hole assault on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor. The attack process included multiple components li
DOGCALLUnspecified
1
Dogcall, also known as ROKRAT, is a remote access Trojan (RAT) malware first reported by Talos in April 2017. It has consistently been attributed to the Advanced Persistent Threat (APT37) group, also known as Reaper. The malware uses third-party hosting services for data upload and command acceptanc
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT37Unspecified
1
APT37, also known as ScarCruft, Reaper, or Group123, is a threat actor suspected to be linked to North Korea. It primarily targets South Korea but has also extended its activities to Japan, Vietnam, and the Middle East, focusing on various industry verticals such as chemicals, electronics, manufactu
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Bluelight Malware Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
North Korean BLUELIGHT Special: InkySquid Deploys RokRAT
MITRE
a year ago
North Korean APT InkySquid Infects Victims Using Browser Exploits
CERT-EU
9 months ago
APT trends report Q3 2023