Security researchers have uncovered a malicious campaign that relies on a valid code-signing certificate to disguise malicious code as legitimate executables.
One of the payloads that the researchers called Blister, acts as a loader for other malware and appears to be a novel threat that enjoys a low detection rate.
The threat actor behind Blister has been relying on multiple techniques to keep their attacks under the radar, the use of code-signing certificates being only one of their tricks.
Signed, sealed, delivered
Whoever is behind Blister malware has been running campaigns for at least three months, since at least September 15, security researchers from Elastic search company found.
The threat actor used a code-signing certificate that is valid from August 23, though. It was issued by digital identity provider Sectigo for a company called Blist LLC with an email address from a Russian provider Mail.Ru.
Using valid certificates to sign malware is an old trick that threat actors learned years ago. Back then, they used to steal certificates from legitimate companies. These days, threat actors request a valid cert using details of a firm they compromised or of a front business.
In a blog post this week, Elastic says that they responsibly reported the abused certificate to Sectigo so it could be revoked.
The researchers say that the threat actor relied on multiple techniques to keep the attack undetected. One method was to embed Blister malware into a legitimate library (e.g. colorui.dll).
The malware is then executed with elevated privileges via the rundll32 command. Being signed with a valid certificate and deployed with administrator privileges makes Blister slip past security solutions.
In the next step, Blister decodes from the resource section bootstrapping code that is “heavily obfuscated,” Elastic researchers say. For ten minutes, the code stays dormant, likely in an attempt to evade sandbox analysis.
It then kicks into action by decrypting embedded payloads that provide remote access and allow lateral movement: Cobalt Strike and BitRAT - both have been used by multiple threat actors in the past.
The malware achieves persistence with a copy in the ProgramData folder and another posing as rundll32.exe. It is also added to the startup location, so it launches at every boot, as a child of explorer.exe.
Elastic’s researchers found signed and unsigned versions of the Blister loader, and both enjoyed a low detection rate with antivirus engines on VirusTotal scanning service.
While the objective of these attacks of the initial infection vector remain unclear, by combining valid code-signing certs, malware embedded in legitimate libraries, and execution of payloads in memory the threat actors increased their chances for a successful attack.
Elastic has created a Yara rule to identify Blister activity and provides indicators of compromise to help organizations defend against the threat.
