ATT&CKcon 5.0 returns October 22-23, 2024 in McLean, VA. Register for in-person participation here. Stay tuned for virtual registration!

BLUELIGHT

BLUELIGHT is a remote access Trojan used by APT37 that was first observed in early 2021.^[1]

ID: S0657

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 01 October 2021

Last Modified: 11 April 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	BLUELIGHT can use HTTP/S for C2 using the Microsoft Graph API.^[1]
Enterprise	T1560		Archive Collected Data	BLUELIGHT can zip files before exfiltration.^[1]
		.003	Archive via Custom Method	BLUELIGHT has encoded data into a binary blob using XOR.^[1]
Enterprise	T1555	.003	Credentials from Password Stores: Credentials from Web Browsers	BLUELIGHT can collect passwords stored in web browers, including Internet Explorer, Edge, Chrome, and Naver Whale.^[1]
Enterprise	T1041		Exfiltration Over C2 Channel	BLUELIGHT has exfiltrated data over its C2 channel.^[1]
Enterprise	T1083		File and Directory Discovery	BLUELIGHT can enumerate files and collect associated metadata.^[1]
Enterprise	T1070	.004	Indicator Removal: File Deletion	BLUELIGHT can uninstall itself.^[1]
Enterprise	T1105		Ingress Tool Transfer	BLUELIGHT can download additional files onto the host.^[1]
Enterprise	T1027	.013	Obfuscated Files or Information: Encrypted/Encoded File	BLUELIGHT has a XOR-encoded payload.^[1]
Enterprise	T1057		Process Discovery	BLUELIGHT can collect process filenames and SID authority level.^[1]
Enterprise	T1113		Screen Capture	BLUELIGHT has captured a screenshot of the display every 30 seconds for the first 5 minutes after initiating a C2 loop, and then once every five minutes thereafter.^[1]
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	BLUELIGHT can collect a list of anti-virus products installed on a machine.^[1]
Enterprise	T1539		Steal Web Session Cookie	BLUELIGHT can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers.^[1]
Enterprise	T1082		System Information Discovery	BLUELIGHT has collected the computer name and OS version from victim machines.^[1]
Enterprise	T1016		System Network Configuration Discovery	BLUELIGHT can collect IP information from the victim’s machine.^[1]
Enterprise	T1033		System Owner/User Discovery	BLUELIGHT can collect the username on a compromised host.^[1]
Enterprise	T1124		System Time Discovery	BLUELIGHT can collect the local time on a compromised host.^[1]
Enterprise	T1497	.001	Virtualization/Sandbox Evasion: System Checks	BLUELIGHT can check to see if the infected machine has VM tools running.^[1]
Enterprise	T1102	.002	Web Service: Bidirectional Communication	BLUELIGHT can use different cloud providers for its C2.^[1]

Groups That Use This Software

ID	Name	References
G0067	APT37	^[1]

References

Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.