Malware in the form of blisters often goes undetected by antivirus engines security researchers have identified a new malware campaign that uses code-signing certificates and other techniques to evade detection by antivirus software.
According to a new blog post from Elastic Security, researchers at the cybersecurity firm have identified a cluster of malicious activity after reviewing its threat prevention telemetry.
The cybercriminals behind this new campaign use valid code signing certificates to sign malware and keep it under the radar of the security community. However, Elastic Security also detected a new malware loader used in the campaign, called Blister. Due to the use of valid code-signing certificates and other measures taken to avoid detection, the cybercriminals responsible have been running this new campaign for at least three months.
Blister malware
Cybercriminals use a code-signing certificate issued by digital identity company Sectigo to a company called Blist LLC, which is why Elastic Security named its malware loader Blister. They can also operate from Russia as they use Mail.Ru as their mail service.
In addition to using a valid code-signing certificate, cybercriminals have also relied on other techniques to evade detection, including embedding the Blister malware into a legitimate library. After running the malware with elevated privileges using the rundll32 command, the malware decrypts the heavily obfuscated boot code stored in the resource area. From there, the code rests for ten minutes to escape sandbox analysis.
After a sufficient amount of time, the malware boots up and begins to decrypt embedded payloads, allowing it to remotely access a Windows system and move laterally across the victim’s network. Blister also achieves persistence on an infected computer by storing one copy in the ProgramData folder and another disguised as rundll32.exe. To make matters worse, the malware adds itself to a system’s startup directory, thus launching itself every time a computer starts.
Elastic Security notified Sectigo to revoke Blister’s code-signing certificate, although the company also created a Yara rule to help companies identify new malware.
In an email to Tim Callan, Chief Compliance Officer at Sectigo, provided further details on this, saying:
“In the week of December 21, 2021, Sectigo became aware that the threat actor behind the recently discovered BLISTER malware was using a code signing certificate. When Sectigo discovered the issue, it immediately revoked the compromised certificate.
As one of the oldest publicly recognized certificate authorities, Sectigo takes every precaution to ensure that every certificate we issue complies with CA/Browser Forum guidelines. Sectigo does not regulate, control or monitor the business practices of any operator, and our Services are in no way tied to content distributed by any particular operator.