A malware campaign this week exploited Windows systems to cloak malicious components as real executable files by using code-signing certificates.
Payload Blister, which was detected, appears to be a loader for another type of malware. Cyber threats such as blister appear to be novel and are hard to detect. Blister malware’s authors are employing various techniques to stay hidden, but relying on valid code-signing certificates appears to be their ace up their sleeve.
Threat creator detected
Researchers from Elastic Search Company found that Blister ran campaigns for at least three months, since at least September 15. This was done using the sing code signing certificates that have been certified since August 23.
Code-signing certificates that are valid from August 23 were used by the threat actor. An email address was provided by a Russian provider called Mail.Ru to this document, which was issued by digital identity provider Sectigo.
According to reports, the perpetrators employed a variety of methods to mask their attacks. The most notable method was to bind Blister to a legitimate library on the system, ensuring the detection rate remained low.
Using rundll32, attackers would execute the malware after embedding it in a PC. A valid certificate combined with elevated rights could let malicious components like Blister bypass defenses undetected.
The malware then decodes bootstrapping code from the resource section. Despite being heavily obfuscated, the code remains dormant for 10 minutes after decoding. Once decrypted, it allows remote access and lateral movement via embedded payloads: Cobalt Strike and BitRAT – both used by multiple threat actors in the past.
Following the delay, Blister decrypts embedded malware payloads like BitRat and CobaltStrike, which have previously been used by attackers to gain remote access and lateral movement in infected systems.
Finally, the virus establishes a local copy of rundll32.exe in the C: ProgramData folder, allowing it to persist on the system. Blister also creates a link in the current user’s Startup folder that causes it to launch as a child of explorer.exe when the user logs in.
It’s not a new approach to use valid code-signing certificates to disguise malware as normal files. Criminals have been known to steal certificates from reputable businesses in the past. Nowadays, attackers simply request legitimate certificates using the details of compromised firms.
While the goal of the initial infection vector attempts is unknown, threat actors boosted their chances of success by combining valid code-signing certs, malware encoded in legitimate libraries, and payload execution in memory.
Elastic has developed a Yara rule to detect Blister activity and provide indicators of compromise to aid enterprises in their defence against the danger.