Privacy Ninja

Stealthy BLISTER Malware Slips in Unnoticed on Windows Systems

Stealthy BLISTER Malware Slips in Unnoticed on Windows Systems

Security researchers have uncovered a malicious campaign that relies on a valid code-signing certificate to disguise malicious code as legitimate executables.

One of the payloads that the researchers called Blister, acts as a loader for other malware and appears to be a novel threat that enjoys a low detection rate.

The threat actor behind Blister has been relying on multiple techniques to keep their attacks under the radar, the use of code-signing certificates being only one of their tricks.

Also Read: Vulnerability Assessment vs Penetration Testing: And Why You Need Both

Signed, sealed, delivered

Whoever is behind Blister malware has been running campaigns for at least three months, since at least September 15, security researchers from Elastic search company found.

The threat actor used a code-signing certificate that is valid from August 23, though. It was issued by digital identity provider Sectigo for a company called Blist LLC with an email address from a Russian provider Mail.Ru.

Valid code-signing certificate used in Blister malware attacks
source: Elastic

Using valid certificates to sign malware is an old trick that threat actors learned years ago. Back then, they used to steal certificates from legitimate companies. These days, threat actors request a valid cert using details of a firm they compromised or of a front business.

In a blog post this week, Elastic says that they responsibly reported the abused certificate to Sectigo so it could be revoked.

The researchers say that the threat actor relied on multiple techniques to keep the attack undetected. One method was to embed Blister malware into a legitimate library (e.g. colorui.dll).

The malware is then executed with elevated privileges via the rundll32 command. Being signed with a valid certificate and deployed with administrator privileges makes Blister slip past security solutions.

Also Read: When to Appoint a Data Protection Officer

In the next step, Blister decodes from the resource section bootstrapping code that is “heavily obfuscated,” Elastic researchers say. For ten minutes, the code stays dormant, likely in an attempt to evade sandbox analysis.

It then kicks into action by decrypting embedded payloads that provide remote access and allow lateral movement: Cobalt Strike and BitRAT – both have been used by multiple threat actors in the past.

The malware achieves persistence with a copy in the ProgramData folder and another posing as rundll32.exe. It is also added to the startup location, so it launches at every boot, as a child of explorer.exe.

Elastic’s researchers found signed and unsigned versions of the Blister loader, and both enjoyed a low detection rate with antivirus engines on VirusTotal scanning service.

Low detection rate for Blister malware loader
detection rate of unsigned Blister malware sample

While the objective of these attacks of the initial infection vector remain unclear, by combining valid code-signing certs, malware embedded in legitimate libraries, and execution of payloads in memory the threat actors increased their chances for a successful attack.

Elastic has created a Yara rule to identify Blister activity and provides indicators of compromise to help organizations defend against the threat.

Outsourced Data Protection Officer – It is mandatory to appoint a Data Protection Officer. We help our clients quickly comply with their PDPA & data protection requirements.

Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.

Smart Contract Audit – Leverage our industry-leading suite of blockchain security analysis tools, combined with hands-on review from our veteran smart contract auditors.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Powered by WhatsApp Chat

× Chat with us