BLISTER Configuration Extractor

By

Elastic Security Labs

English

Python script to extract the configuration and payload from BLISTER samples.

Download blister-config-extractor.tar.gz

Getting Started

This tool provides a Python module and command line tool that will extract configurations from the BLISTER malware loader and dump the results to screen.

The BLISTER Malware Loader

For information on the BLISTER malware loader and campaign observations, check out our blog posts detailing this:

Docker

We can easily run the extractor with Docker, first we need to build the image:

docker build . -t blister-config-extractor

Then we run the container with the -v flag to map a host directory to the docker container directory:

docker run -ti --rm -v \
"$(pwd)/binaries":/binaries blister-config-extractor:latest -d /binaries/

We can either specify a single sample with -f option or a directory of samples with -d.

BLISTER configuration extrator output

Running it Locally

As mentioned above, Docker is the recommended approach to running this project, however you can also run this locally. This project uses Poetry to manage dependencies, testing, and metadata. If you have Poetry installed already, from this directory, you can simply run the following commands to run the tool. This will setup a virtual environment, install the dependencies, activate the virtual environment, and run the console script.

poetry lock
poetry install
poetry shell
blister-config-extractor -h

Once that works, you can do the same sort of things as mentioned in the Docker instructions above.

References

  • Elastic Security Labs Newsletter

    Sign up

Related content

See all top stories

Videos

Click, Click… Boom! Automating Protections Testing with Detonate

To automate this process and test our protections at scale, we built Detonate, a system that is used by security research engineers to measure the efficacy of our Elastic Security solution in an automated fashion.

By
Jessica David
Hez Carty
...
Videos

REF2924: how to maintain persistence as an (advanced?) threat

Elastic Security Labs describes new persistence techniques used by the group behind SIESTAGRAPH, NAPLISTENER, and SOMNIRECORD.

By
Remco Sprooten
Videos

Not sleeping anymore: SOMNIRECORD's wake-up call

Elastic Security Labs researchers identified a new malware family written in C++ that we refer to as SOMNIRECORD. This malware functions as a backdoor and communicates with command and control (C2) while masquerading as DNS.

By
Salim Bitam