Security researchers have uncovered a stealthy malware campaign that uses valid code signing certificates to bypass security mechanisms and deploy Cobalt Strike and BitRAT payloads on compromised systems.
The campaign involves a new malware loader named ‘BLISTER’ by researchers at Elastic Security who discovered the threat. It’s worth noting, that discovered malware samples have very low or zero detection on VirusTotal.
The campaign has been active since at least September 15, with threat actor behind BLISTER relying on multiple techniques to stay under radar. One of these includes the use of the valid code signing certificates, more specifically, code signing certs issued by digital identity provider Sectigo.
“Adversaries can either steal legitimate code-signing certificates or purchase them from a certificate authority directly or through front companies. Executables with valid code signing certificates are often scrutinized to a lesser degree than unsigned executables. Their use allows attackers to remain under the radar and evade detection for a longer period of time,” the research team explained.
Elastic Security has informed Sectigo about their findings so the company could take action and revoke the abused certificates.
As for BLISTER, the loader is spliced into legitimate libraries such as colorui.dll, likely to ensure the majority of the on-disk footprint has known-good code and metadata. The loader can be initially written to disk from simple dropper executables. One such dropper writes a signed BLISTER loader to %temp%Framworkaxsssig.dll and executes it with rundll32.
Once executed, the loader sleeps for 10 minutes (likely to evade sandbox analysis) and then decrypts the embedded malware payload (CobaltStrike and BitRat). Once decrypted, the payload is loaded into the current process or injected into a newly spawned WerFault.exe process. BLISTER then establishes persistence by copying itself to the C:ProgramData folder, along with a re-named local copy of rundll32.exe and creates a link in the current user’s Startup folder to launch the malware at logon as a child of explorer.exe.
A Yara rule to identify BLISTER activity, as well as Indicators of Compromise associated with this new threat are available in Elastic Security’s report.