Researchers have discovered a stealthy malware campaign using valid code signing certificates in Windows systems to stay hidden. The malware loader, named Blister, further deploys second-stage payloads in memory.
About the malware
The ongoing malware campaign has been running since at least September 15.
According to Elastic Security, the identified malware samples have very low or no detection on VirusTotal.
The attacker has used a code-signing certificate valid from August 23.
It was issued by Sectigo for a corporation named Blist LLC with an email address from Mail.Ru, the Russian email provider.
Evasion tactics
The attackers have employed numerous techniques to hide their attacks or stay undetected.
One such tactic was to insert Blister malware into a genuine library (colorui[.]dll).
Then, the malware is executed with elevated privileges using the rundll32 command.
The files are signed with a valid certificate and delivered using admin privileges to avoid detection.
Further, the malware decodes from resource section bootstrapping code, which is heavily obfuscated.
For ten minutes, the code stays static, which is an attempt to avoid sandbox analysis.
Additional info
After performing the above-mentioned steps, it decrypts embedded payloads such as Cobalt Strike and BitRAT.
The researchers have discovered both signed and unsigned versions of the Blister loader. Both had a very low detection rate with antivirus engines on the scanning service, VirusTotal.
The malware obtains persistence using a copy in the ProgramData folder and posing as rundll32[.]exe. It is added to the startup location for being launched at every boot, as a child of explorer[.]exe.
Conclusion
The use of clever tricks to stay hidden makes Blister very challenging for organizations to detect. Thus, it is recommended to keep an eye on malicious behaviors within the organization's network and implement methods to detect them automatically. Additionally, individuals must watch files received from unknown sources and emails.