Skip to content

S0657 BLUELIGHT

BLUELIGHT is a remote access Trojan used by APT37 that was first observed in early 2021.1

Item Value
ID S0657
Associated Names
Type MALWARE
Version 1.0
Created 01 October 2021
Last Modified 15 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols BLUELIGHT can use HTTP/S for C2 using the Microsoft Graph API.1
enterprise T1560 Archive Collected Data BLUELIGHT can zip files before exfiltration.1
enterprise T1560.003 Archive via Custom Method BLUELIGHT has encoded data into a binary blob using XOR.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers BLUELIGHT can collect passwords stored in web browers, including Internet Explorer, Edge, Chrome, and Naver Whale.1
enterprise T1041 Exfiltration Over C2 Channel BLUELIGHT has exfiltrated data over its C2 channel.1
enterprise T1083 File and Directory Discovery BLUELIGHT can enumerate files and collect associated metadata.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion BLUELIGHT can uninstall itself.1
enterprise T1105 Ingress Tool Transfer BLUELIGHT can download additional files onto the host.1
enterprise T1027 Obfuscated Files or Information BLUELIGHT has a XOR-encoded payload.1
enterprise T1057 Process Discovery BLUELIGHT can collect process filenames and SID authority level.1
enterprise T1113 Screen Capture BLUELIGHT has captured a screenshot of the display every 30 seconds for the first 5 minutes after initiating a C2 loop, and then once every five minutes thereafter.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery BLUELIGHT can collect a list of anti-virus products installed on a machine.1
enterprise T1539 Steal Web Session Cookie BLUELIGHT can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers.1
enterprise T1082 System Information Discovery BLUELIGHT has collected the computer name and OS version from victim machines.1
enterprise T1016 System Network Configuration Discovery BLUELIGHT can collect IP information from the victim’s machine.1
enterprise T1033 System Owner/User Discovery BLUELIGHT can collect the username on a compromised host.1
enterprise T1124 System Time Discovery BLUELIGHT can collect the local time on a compromised host.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks BLUELIGHT can check to see if the infected machine has VM tools running.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication BLUELIGHT can use different cloud providers for its C2.1

Groups That Use This Software

ID Name References
G0067 APT37 1

References

  1. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.