Connect with us

Hi, what are you looking for?

Technology

Stealthy BLISTER malware slips in unnoticed on Windows systems


Stealthy Blister malware uses valid code signing certificate

Security researchers have uncovered a malicious campaign that relies on a valid code-signing certificate to disguise malicious code as legitimate executables.

One of the payloads that the researchers called Blister, acts as a loader for other malware and appears to be a novel threat that enjoys a low detection rate.

The threat actor behind Blister has been relying on multiple techniques to keep their attacks under the radar, the use of code-signing certificates being only one of their tricks.

Signed, sealed, delivered

Whoever is behind Blister malware has been running campaigns for at least three months, since at least September 15, security researchers from Elastic search company found.

The threat actor used a code-signing certificate that is valid from August 23, though. It was issued by digital identity provider Sectigo for a company called Blist LLC with an email address from a Russian provider Mail.Ru.

Valid code-signing certificate used in Blister malware attacks
source: Elastic

Using valid certificates to sign malware is an old trick that threat actors learned years ago. Back then, they used to steal certificates from legitimate companies. These days, threat actors request a valid cert using details of a firm they compromised or of a front business.

In a blog post this week, Elastic says that they responsibly reported the abused certificate to Sectigo so it could be revoked.

The researchers say that the threat actor relied on multiple techniques to keep the attack undetected. One method was to embed Blister malware into a legitimate library (e.g. colorui.dll).

Advertisement. Scroll to continue reading.

The malware is then executed with elevated privileges via the rundll32 command. Being signed with a valid certificate and deployed with administrator privileges makes Blister slip past security solutions.

In the next step, Blister decodes from the resource section bootstrapping code that is “heavily obfuscated,” Elastic researchers say. For ten minutes, the code stays dormant, likely in an attempt to evade sandbox analysis.

It then kicks into action by decrypting embedded payloads that provide remote access and allow lateral movement: Cobalt Strike and BitRAT – both have been used by multiple threat actors in the past.

The malware achieves persistence with a copy in the ProgramData folder and another posing as rundll32.exe. It is also added to the startup location, so it launches at every boot, as a child of explorer.exe.

Elastic’s researchers found signed and unsigned versions of the Blister loader, and both enjoyed a low detection rate with antivirus engines on VirusTotal scanning service.

Low detection rate for Blister malware loader
detection rate of unsigned Blister malware sample

While the objective of these attacks of the initial infection vector remain unclear, by combining valid code-signing certs, malware embedded in legitimate libraries, and execution of payloads in memory the threat actors increased their chances for a successful attack.

Elastic has created a Yara rule to identify Blister activity and provides indicators of compromise to help organizations defend against the threat.



Source link

Advertisement. Scroll to continue reading.
Click to comment

Leave a Reply

Advertisement

Latest

Technology

Security researchers have uncovered a malicious campaign that relies on a valid code-signing certificate to disguise malicious code as legitimate executables. One of the...

Loan And Finance

Dear youTalk-insurance subscribers, followers, partners and friends, I thought I would take a few moments to thank you for the continued support you have...

Top Stories

Crypto payments might be the innovation companies are looking for. A recent survey by payment network Mercuryo revealed that 57% of respondents believe accepting...

Online Business Success

A money changer counts Turkish lira banknotes at a currency exchange office in Ankara, Turkey November 11, 2021. — Reuters/File Lira stands at 10.81...

Top Stories

Wyoming Senator Cynthia Lummis, one of the United States lawmakers behind many pro-crypto pieces of legislation, is planning to introduce a comprehensive bill next...

Top Stories

Terra (LUNA), an open-source stablecoin network, hit an all-time high of $20.05 billion in total value locked, or TVL, across its 13 product offerings,...

Technology

Source: Christine Romero-Chan / iMore You know the drill — you’re playing your game, and then suddenly, it seems like everything just stops, and...

Top Stories

What does mass adoption mean for the blockchain industry? Has it started yet? If not, what could get it going? Source link

Advertisement

You May Also Like

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

SEO Guide

How to index website on Google? Do you want to drive more organic traffic to your new website? I am sure your answer is...

Blogging

In this post, I will discuss the top ten profitable blogging niches ideas for Adsense approval and high traffic. whether you use Blogger or...

SEO Guide

Want to rank in Google image search? Images that you use as a featured images when writing a post actually appear on Google Images...

Advertisement