Security researchers have uncovered an attack on Windows computersthat relies on a valid code signing certificate to cover up malware as legitimate feasible files.
One of the payload files, called Blister, acts as a tool to load other malware and appears to be a new threat that is currently enjoying a low detection rate. The people behind Blister rely on many techniques, and using a certificate to sign a code is just one of the tricks.
Malister’s malicious attacks have been going on for at least three months – at least since September 15, security researchers from the search company Elastic have found, citing a publication in Bleeping Computer.
However, the threat uses a certificate to sign the code, which is valid from August 23. It was issued by the digital identity provider Sectigo for a company called Blist LLC with an email address from the Russian provider Mail.Ru.
Using valid certificates to sign malware is an old trick that attackers have been using for years. At the time, they were stealing certificates from legitimate companies. They now require a valid certificate using data from a company they have compromised or a fake business.
In a blog post this week, Elastic said it had reported the compromised Sectigo certificate for revocation. Researchers say the attackers relied on a number of techniques to keep them undetected. One method is to embed Blister malware in a legitimate library (eg colorui.dll).
The malware then runs with increased privileges via a Rundll32 command. Signing with a valid certificate and deploying with administrator rights allows Blister to overcome security solutions.
In the next step, Blister decodes from the resource section a boot code that is “heavily obscured”, Elastic researchers explain. The code remained inactive for ten minutes, probably in an attempt to evade sandbox analysis.
An embedded payload is then decrypted, which provides remote access and activation of Cobalt Strike and BitRAT – both tools have been used by many threats in the past.
Malicious software achieves resilience with a copy of the ProgramData folder and another copy that is represented as rundll32.exe. It is also added to startup programs and is thus activated on each boot as a “child” of explorer.exe.
Elastic researchers have found signed and unsigned versions of Blister Loader, both of which enjoy a low antivirus detection rate in the VirusTotal scanning service.
Although the purpose of these threats remains unclear, by combining valid code signing certificates, malicious software embedded in legitimate libraries, and executing memory payload, attackers increase their chances of a successful attack.
Elastic has created a Yara rule for identifying Blister activity and provides indicators of compromise to help organizations defend themselves against the new threat.