Security researchers have noticed a malicious campaign that uses a genuine code-signing certificate to masquerade harmful malware as normal executables. Blister, one of the payloads found by the researchers, functions as a loader for other malware and looks to be a new threat with a poor detection rate.
The malicious actor behind Blister has used various strategies to keep their attacks hidden from detection, including the use of code-signing certificates. According to the Elastic search business security analysts, Blister malware’s creators have been executing campaigns for at least three months.
However, the threat actor employed a code-signing certificate that expires on August 23. Sectigo, a digital identity supplier, provided it to Blist LLC, a corporation using an email address from Russian provider Mail.Ru. Using genuine certificates to sign malware is a tried-and-true tactic used by threat actors for years. They used to take certifications from real businesses back then. Threat actors can seek a valid certificate using the data of a company they have hacked or a front company.
In a blog post this week, Elastic said they responsibly reported the exploited certificate to Sectigo so it could be revoked. According to the experts, the threat actor used many strategies to keep the attack unnoticed. Blister malware might be included in a genuine library (e.g., colorui.dll).
The malware is then run as an elevated user with the rundll32 command. Blister eludes security measures since it is signed with a genuine certificate and installed with administrator capabilities. According to Elastic researchers, Blister then decodes “heavily obfuscated” bootstrapping code from the resource area. The code remains idle for 10 minutes, most likely to avoid sandbox inspection.
It then goes to work decrypting embedded payloads that offer remote access and facilitate lateral movement: Cobalt Strike and BitRAT, both of which have previously been employed by various threat actors. The virus achieves persistence with a copy in the ProgramData folder and another masquerading as rundll32.exe. It is also added to the starting location as a child of explorer.exe, allowing it to run at every boot.
Both signed and unsigned Elastic’s researchers discovered variants of the Blister loader, and both had a poor detection rate with antivirus engines on the VirusTotal scanning service.
While the goal of the initial infection vector attempts is unknown, threat actors boosted their chances of success by combining legal code-signing certs, malware encoded in legitimate libraries, and payload execution in memory. Elastic has developed a Yara rule to detect Blister activity and offer signs of compromise to aid enterprises in defending against the danger.