27 December 2021

Stealthy BLISTER malware leverages code signing certs to evade detection


Stealthy BLISTER malware leverages code signing certs to evade detection

Security researchers have uncovered a stealthy malware campaign that uses valid code signing certificates to bypass security mechanisms and deploy Cobalt Strike and BitRAT payloads on compromised systems.

The campaign involves a new malware loader named ‘BLISTER’ by researchers at Elastic Security who discovered the threat. It’s worth noting, that discovered malware samples have very low or zero detection on VirusTotal.

The campaign has been active since at least September 15, with threat actor behind BLISTER relying on multiple techniques to stay under radar. One of these includes the use of the valid code signing certificates, more specifically, code signing certs issued by digital identity provider Sectigo.

“Adversaries can either steal legitimate code-signing certificates or purchase them from a certificate authority directly or through front companies. Executables with valid code signing certificates are often scrutinized to a lesser degree than unsigned executables. Their use allows attackers to remain under the radar and evade detection for a longer period of time,” the research team explained.

Elastic Security has informed Sectigo about their findings so the company could take action and revoke the abused certificates.

As for BLISTER, the loader is spliced into legitimate libraries such as colorui.dll, likely to ensure the majority of the on-disk footprint has known-good code and metadata. The loader can be initially written to disk from simple dropper executables. One such dropper writes a signed BLISTER loader to %temp%\Framwork\axsssig.dll and executes it with rundll32.

Once executed, the loader sleeps for 10 minutes (likely to evade sandbox analysis) and then decrypts the embedded malware payload (CobaltStrike and BitRat). Once decrypted, the payload is loaded into the current process or injected into a newly spawned WerFault.exe process. BLISTER then establishes persistence by copying itself to the C:\ProgramData folder, along with a re-named local copy of rundll32.exe and creates a link in the current user’s Startup folder to launch the malware at logon as a child of explorer.exe.

A Yara rule to identify BLISTER activity, as well as Indicators of Compromise associated with this new threat are available in Elastic Security’s report.

Back to the list

Latest Posts

The story of the four bears: Brief analysis of APT groups linked to the Russian government

The story of the four bears: Brief analysis of APT groups linked to the Russian government

In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear, Cozy Bear, Voodoo Bear, and Berserk Bear.
17 January 2022
Cybersecurity year in review: Most notable APT hacks of 2021

Cybersecurity year in review: Most notable APT hacks of 2021

In 2021 nation-state actors somewhat faded into the background, but they still pose a significant threat.
17 January 2022
Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

The attackers exploited the Log4Shell vulnerability on ONUS’ Cyclos server to plant backdoor and exfiltrate data.
30 December 2021