BLX stealer, also known as XLABB Stealer is a malware designed to steal sensitive information like credentials, payment data, and cryptocurrency wallets from infected endpoints. It uses advanced evasion techniques, process injection, and file encryption to bypass traditional security tools, making it a serious threat to individuals and organizations. 

BLX Stealer is actively promoted on platforms like Telegram and Discord and comes in both free and premium versions. 

This blog post demonstrates how to detect and respond to BLX stealer on an infected Windows endpoint with Wazuh.

Behavioral analysis of BLX stealer

Upon infecting an endpoint, BLX stealer exhibits the following behaviors:

  • The malware creates a PowerShell script temp.ps1 in the working directory.
  • It starts a command prompt and runs a command that executes the previously created PowerShell script:
C:\Windows\system32\cmd.exe /d /s /c “powershell.exe -ExecutionPolicy Bypass -File “<CURRENT_WORKING_DIRECTORY\temp.ps1
  • Triggers Csc.exe and Cvtres.exe which are both legitimate Microsoft utilities that BLX abuses to compile and manipulate executable files.
  • It executes the decrypted_executable file which is dropped in the %TeMP% folder and the users’ %Startup% folder to ensure persistence.
  • It attempts to discover the victim’s IP and Geolocation details by querying api.ipify.org and geolocation-db.com.

Analyzed malware sample

Hash algorithmValue
MD555bd26a6b610fc1748d0ea905a13f4f0
SHA2568c4daf5e4ced10c3b7fd7c17c7c75a158f08867aeb6bccab6da116affa424a89

Infrastructure

We use the following infrastructure to demonstrate the detection of BLX Stealer with Wazuh:

  • A pre-built ready-to-use Wazuh OVA 4.9.2. Follow this guide to download the virtual machine.
  • A Windows 11 victim endpoint with Wazuh agent 4.9.2 installed and enrolled to the Wazuh server. Refer to the installation guide for installing the Wazuh agent. 

Detection with Wazuh

We use the following techniques to detect the BLX Stealer on the infected Windows endpoint:

Creating detection rules

We use Sysmon to monitor critical system events on Windows endpoints, such as process creation, file modifications, registry changes, network connections, and script executions. These events are correlated with custom rules on the Wazuh server to detect malicious behaviors specific to BLX Stealer activities.

Windows endpoint

Perform the following steps to configure the Wazuh agent to capture and send Sysmon logs to the Wazuh server for analysis.

1. Download Sysmon from the Microsoft Sysinternals page.

2. Using Powershell with administrator privilege, create a Sysmon folder in the endpoint C:\ folder:

> New-Item -ItemType Directory -Path C:\Sysmon

3. Extract the compressed Sysmon file to the folder created above C:\Sysmon:

> Expand-Archive -Path "<PATH>\Sysmon.zip" -DestinationPath "C:\Sysmon"

Replace <PATH> with the path where Sysmon.zip was downloaded.

4. Download the Sysmon configuration file – sysmonconfig.xml to C:\Sysmon using the Powershell command below:

> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile C:\Sysmon\sysmonconfig.xml

5. Switch to the directory with the Sysmon executable and run the command below to install and start Sysmon using PowerShell with administrator privileges: 

> cd C:\Sysmon 
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

6. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file:

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

7. Restart the Wazuh agent to apply the configuration changes by running the following PowerShell command as an administrator:

> Restart-Service -Name wazuh

Wazuh server

Perform the following steps to configure detection rules on the Wazuh server.

1. Create a new file /var/ossec/etc/rules/blx_stealer.xml:

# touch /var/ossec/etc/rules/blx_stealer.xml

2. Edit the file /var/ossec/etc/rules/blx_stealer.xml and include the following detection rules for BLX stealer:

<group name="windows,sysmon,blx_detection_rule,">
<!-- Blx drops powershell script -->
  <rule id="100300" level="10">
    <if_sid>92200</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\\\.+(exe|dll|bat|msi)</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)\\\\temp.ps1</field>
    <description>Possible BLX stealer activity detected: A rogue powershell script was dropped to system.</description>
    <mitre>
      <id>T1105</id>
    </mitre>
  </rule>

<!-- Blx starts a command prompt to execute previously dropped script -->
  <rule id="100310" level="10">
    <if_sid>92052</if_sid>
    <field name="win.eventdata.parentImage" type="pcre2">(?i)\\\\.+(exe|dll|bat|msi)</field>
    <field name="win.eventdata.image" type="pcre2">(?i)\\\\Windows\\\\System32\\\\cmd.exe</field>
    <field name="win.eventdata.commandLine" type="pcre2">powershell.exe -ExecutionPolicy Bypass -File</field>
    <description>Possible BLX stealer activity detected: Rogue powershell script execution.</description>
    <mitre>
      <id>T1059.003</id>
    </mitre>
  </rule>

<!-- Blx dropped an executable to temp folder -->
  <rule id="100320" level="10">
    <if_sid>92213</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\\\.+(exe|dll|bat|msi)</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)\\\\Users\\\\[^\\\\]+\\\\AppData\\\\Local\\\\Temp\\\\decrypted_executable.exe</field>
    <description>Possible BLX stealer activity detected: Rogue executable was dropped to system.</description>
    <mitre>
      <id>T1105</id>
    </mitre>
  </rule>

<!-- Rogue executable copies itself to users' startup folder for persistence -->
  <rule id="100330" level="10">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\\\Users\\\\[^\\\\]+\\\\AppData\\\\Local\\\\Temp\\\\decrypted_executable.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)\\\\Users\\\\[^\\\\]+\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\decrypted_executable.exe</field>
    <description>Possible BLX stealer persistence activity detected: Rogue executable was copied to users' startup folder to establish persistence.</description>
    <mitre>
      <id>T1547.001</id>
    </mitre>
  </rule>
</group>

Where:

  • Rule 100300 is triggered when BLX drops a rogue PowerShell script, temp.ps1 to the infected system.
  • Rule 100310 is triggered when BLX executes the temp.ps1 PowerShell script.
  • Rule 100320 is triggered when BLX drops an executable, decrypted_executable.exe  in the Temp folder.
  • Rule 100330 is triggered when BLX copies the rogue executable to the user %Startup% folder for persistence.

3. Restart the Wazuh manager service to apply the changes.

# systemctl restart wazuh-manager

Visualizing alerts on the Wazuh dashboard

The screenshot below shows the alerts generated on the Wazuh dashboard when we execute the BLX sample on the victim endpoints. Perform the following steps to view the alerts on the Wazuh dashboard.

1. Navigate to Threat intelligence > Threat Hunting.

2. Click + Add filter. Then, filter for rule.id in the Field field.

3. Filter for is one of in the Operator field.

4. Filter for 100300, 100310, 100320, and 100330 in the Values field.

5. Click Save.

BLX stealer dashboard

YARA integration

YARA is an open source and multi-platform tool that identifies and classifies malware samples based on their textual or binary patterns. In this blog post, we use the Wazuh Active Response capability to automatically execute a YARA scan on files added or modified in the Downloads folder.

Windows endpoint

To download and install YARA, we require the following packages installed on the victim endpoint:

Note: Make sure to select the following checkboxes on the installer dialog box during Python installation: 

  • Use admin privileges when installing py.exe.
  • Add Python.exe to PATH.

After installing the above packages, perform the steps below to download the YARA executable:

1. Launch PowerShell with administrative privilege and download YARA:

> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.2/yara-v4.5.2-2326-win64.zip -OutFile v4.5.2-2326-win64.zip

2. Extract the YARA executable:

> Expand-Archive v4.5.2-2326-win64.zip

3. Create a folder called C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA binary into it:

> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'

> cp .\v4.5.2-2326-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'

Perform the steps below to download YARA rules:

4. Using the same PowerShell terminal launched earlier, install valhallaAPI using the pip utility. This allows you to query thousands of handcrafted YARA and Sigma rules in different formats, filter them, and write them to disk.

> pip install valhallaAPI

5. Create the file download_yara_rules.py and copy the following script into it:

from valhallaAPI.valhalla import ValhallaAPI
v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111")
response = v.get_rules_text()

with open('yara_rules.yar', 'w') as fh:
    fh.write(response)

6. Download YARA rules and copy them to the C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ folder:

> python download_yara_rules.py 

> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'

>cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'

7. Edit the file C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar and add the following YARA rule to detect BLX stealer:

rule BLX_Stealer_rule {
    
    meta:
        description = "Detects BLX Stealer malware"
        author = "Wazuh"
        date = "2024-11-01"
        reference = "https://www.cyfirma.com/research/blx-stealer/"
		
	
	strings:
        $str0 = { 20 20 20 20 70 6f 6c 69 63 79 2e 6d 61 6e 69 66 65 73 74 2e 61 73 73 65 72 74 49 6e 74 65 67 72 69 74 79 28 6d 6f 64 75 6c 65 55 52 4c 2c 20 63 6f 6e 74 65 6e 74 29 3b }
        $str1 = { 20 20 41 72 72 61 79 50 72 6f 74 6f 74 79 70 65 53 68 69 66 74 2c }
        $str2 = { 20 20 69 66 20 28 21 73 74 61 74 65 2e 6b 65 65 70 41 6c 69 76 65 54 69 6d 65 6f 75 74 53 65 74 29 }
        $str3 = { 20 20 72 65 74 75 72 6e 20 72 65 71 75 69 72 65 28 27 74 6c 73 27 29 2e 44 45 46 41 55 4c 54 5f 43 49 50 48 45 52 53 3b }
        $str4 = { 21 47 7e 79 5f 3b }
        $str5 = { 3f 52 65 64 75 63 65 53 74 61 72 74 40 42 72 61 6e 63 68 45 6c 69 6d 69 6e 61 74 69 6f 6e 40 63 6f 6d 70 69 6c 65 72 40 69 6e 74 65 72 6e 61 6c 40 76 38 40 40 41 45 41 41 3f 41 56 52 65 64 75 63 74 69 6f 6e 40 32 33 34 40 50 45 41 56 4e 6f 64 65 40 32 33 34 40 40 5a }
        $str6 = { 40 55 56 57 48 }
        $str7 = { 41 49 5f 41 44 44 52 43 4f 4e 46 49 47 }
        $str8 = { 44 24 70 48 }
        $str9 = { 45 56 50 5f 4d 44 5f 43 54 58 5f 73 65 74 5f 75 70 64 61 74 65 5f 66 6e }
        $str10 = { 46 61 69 6c 65 64 20 74 6f 20 64 65 73 65 72 69 61 6c 69 7a 65 20 64 6f 6e 65 5f 73 74 72 69 6e 67 }
        $str11 = { 49 63 4f 70 }
        $str12 = { 54 24 48 48 }
        $str13 = { 5c 24 30 48 }
        $str14 = { 5c 24 58 48 }
        $str15 = { 64 24 40 48 }
        $str16 = { 67 65 74 73 6f 63 6b 6f 70 74 }
        $str17 = { 73 74 72 65 73 73 20 74 68 65 20 47 43 20 63 6f 6d 70 61 63 74 6f 72 20 74 6f 20 66 6c 75 73 68 20 6f 75 74 20 62 75 67 73 20 28 69 6d 70 6c 69 65 73 20 2d 2d 66 6f 72 63 65 5f 6d 61 72 6b 69 6e 67 5f 64 65 71 75 65 5f 6f 76 65 72 66 6c 6f 77 73 29 }
        $str18 = { 74 24 38 48 }
        $str19 = { 74 24 60 48 }
		
        $blx_stealer_network = "https://api.ipify.org" ascii wide nocase
        $blx_stealer_network1 = "https://geolocation-db.com" ascii wide nocase
        $blx_stealer_network2 = "https://discord.com/api/webhooks" ascii wide nocase
		
        $blx_stealer_hash1 = "8c4daf5e4ced10c3b7fd7c17c7c75a158f08867aeb6bccab6da116affa424a89"
        $blx_stealer_hash2 = "e74dac040ec85d4812b479647e11c3382ca22d6512541e8b42cf8f9fbc7b4af6"
        $blx_stealer_hash3 = "32abb4c0a362618d783c2e6ee2efb4ffe59a2a1000dadc1a6c6da95146c52881"
        $blx_stealer_hash4 = "5b46be0364d317ccd66df41bea068962d3aae032ec0c8547613ae2301efa75d6"

    condition:
        (all of ($str*) or any of ($blx_stealer_network*) or any of ($blx_stealer_hash*))

}

8. Edit the Wazuh agent file C:\Program Files (x86)\ossec-agent\ossec.conf and add the below configuration within the <syscheck> block to monitor the Downloads folders of all users in real-time:

<directories realtime="yes">C:\Users\*\Downloads</directories>

Note: In this blog post, we monitor the Downloads folders of all users. However, you can configure other folders you intend to monitor.

9. Create a batch file yara.bat in the C:\Program Files (x86)\ossec-agent\active-response\bin\ folder. The Wazuh active response module uses this file to perform YARA scans for malware detection and removal:

:: This script is meant to delete BLX Stealer and other malicious files matched by the YARA rules
@echo off
setlocal enableDelayedExpansion

:: Determine OS architecture
reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT
if %OS%==32BIT (
    SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"
)
if %OS%==64BIT (
    SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"
)

:: Read input from OSSEC agent
set input=
for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (
    set input=%%a
)

:: File paths for operations
set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"
set syscheck_file_path=
echo %input% > %json_file_path%
FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) DO (
SET syscheck_file_path=%%F
)

echo %syscheck_file_path% >> %log_file_path%


:: Perform YARA scan on the detected file
for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (
    echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%

   :: Deleting the scanned file.
    del /f "%syscheck_file_path%"
    echo wazuh-yara: INFO - Successfully deleted: %%a >> %log_file_path%
)

exit /b

10. Restart the Wazuh agent to apply the changes:

> Restart-Service -Name wazuh

Wazuh server

Perform the following steps to configure custom decoders, rules, and the Active Response module on the Wazuh server.

1. Edit the file /var/ossec/etc/decoders/local_decoder.xml and include the following decoders:

<!-- The decoders parse logs from the YARA scans -->
<decoder name="yara_decoder">
    <prematch>wazuh-yara:</prematch>
</decoder>
<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

2. Edit the file /var/ossec/etc/rules/local_rules.xml on the Wazuh server and include the following rules:

<!-- File added to the Downloads folder -->
<group name= "syscheck,">
  <rule id="100010" level="7">
    <if_sid>550</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File modified in the Downloads folder.</description>
  </rule>

<!-- File modified in the Downloads folder -->
  <rule id="100011" level="7">
    <if_sid>554</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File added to the Downloads folder.</description>
  </rule>
</group>

<!--  Rule for the decoder (yara_decoder) -->
<group name="yara,">
  <rule id="100100" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>


<!--  YARA scan detects a positive match -->
  <rule id="100110" level="7">
    <if_sid>100100</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Scan result: </match>
    <description>Yara scan result: File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>

  </rule>
  <rule id="100120" level="7">
    <if_sid>100100</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Successfully deleted: </match>
    <description>Active Response: Successfully removed "$(yara_scanned_file)". YARA rule: $(yara_rule)</description>
  </rule>

<!--  Wazuh encounters an error when deleting malware with a positive match -->
  <rule id="100130" level="12">
    <if_sid>100100</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Error removing threat: </match>
    <description>Active Response: Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule)</description>
  </rule>
</group>

Where:

  • Rule ID 100010 is triggered when a file is modified in the  Downloads directory.
  • Rule ID 100011 is triggered when a file is added to the Downloads directory.
  • Rule ID 100100 is the base rule for detecting YARA events.
  • Rule ID 100110 is triggered when YARA scans and detects a malicious file.
  • Rule ID 100120 is triggered when the detected file has been successfully removed by the Wazuh active response module.
  • Rule ID 100130 is triggered when the detected file is not removed successfully by Wazuh active response.

3. Append the following configuration to the Wazuh server configuration file /var/ossec/etc/ossec.conf:

<ossec_config>

  <!-- The YARA batch script is executed when a file is added or modified in the Downloads folder monitored by Wazuh -->
  <command>
    <name>yara</name>
    <executable>yara.bat</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <command>yara</command>
    <location>local</location>
    <rules_id>100010,100011</rules_id>
  </active-response>

</ossec_config>

4. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Visualizing alerts on the Wazuh dashboard

The image below shows the alerts generated by the Wazuh dashboard when BLX stealer is dropped to the Downloads folder of the victim endpoint and executed.  Perform the following steps to view the alerts on the Wazuh dashboard.

1. Navigate to Threat intelligence > Threat Hunting.

2. Click + Add filter. Then, filter for rule.id in the Field field.

3. Filter for is one of in the Operator field.

4. Filter for 553, 100010, 100011, 100110, 100120, and 100130 in the Values field.

5. Click Save.

BLX stealer dropped

Conclusion

BLX Stealer, with its ability to steal valuable data, presents a serious threat to both organizations and individuals. Wazuh comes in as a solution to detect and respond to this malware.

In this blog post, we showed how Wazuh combines real-time monitoring, and customizable rules to help security teams quickly spot BLX Stealer activity. By using these tools, organizations can take proactive measures to protect their systems and prevent sensitive information from being compromised.

To learn more about Wazuh, please check out our documentation and blog posts.

References