A malicious campaign has been recently identified by the cybersecurity analysts at Elastic security firm, in which a new stealthy BLISTER malware has been detected that evades detection by leveraging the valid code signing certificates.
Here the threat actors have used BLISTER malware as payload since it’s one of the best payloads available in the market that has stealthy abilities and low detection rate, which makes it one of the perfect choices for hackers or threat actors.
To stay undetected this new stealthy BLISTER malware relies on several TTPs and among those, the use of valid code-signing certificates makes it the most wicked.
Apart from this, the VirusTotal report depicts that the maximum number of scanned samples have a dramatically low detection rate due to which at this moment the operators of this campaign and malware are still unknown.
Multiple high-confidence alerts & second-stage payloads
Here are the high-confidence alerts that are triggered for:-
- Execution via Renamed Signed Binary Proxy
- Windows Error Manager
- Reporting Masquerading
- Suspicious PowerShell Execution via Windows Scripts
While the attackers used BLISTER malware to execute second-stage malware payloads and they are:-
- Maintain persistence
Key aspect of this campaign
Since September 15 the operators of BLISTER malware have been operating this malicious campaign in which they used a valid code-signing certificate that is provided by the Sectigo and it was valid from August 23.
The certificate used by the BLISTER malware was made for the company known as Blist LLC that has an email address from Mail.Ru, it’s a Russian email provider. Researchers said.
- Issuer: Sectigo Public Code Signing CA R36
- Issued to: Blist LLC
- Serial number: 2f4a25d52b16eb4c9dfe71ebbd8121bb
- Valid from: Monday, August 23, 2021 4:00:00 PM
- Valid to: Wednesday, August 24, 2022 3:59:59 PM
Here, the hackers use the details of compromised companies or businesses to request valid certificates. Then with admin privileges through rundll32 command, the BLISTER malware is executed.
Moreover, the bootstrapping code that is stowed in the resource section with a 4-byte XOR routine is decoded by the malware once it gets executed.
To execute the whole operation the hackers use two exploits and they are:-
- Certificate abuse
- BLISTER malware loader
The cybersecurity analysts at Elastic has recommended two recommendations:-
- Memory Threat Detection Alert: Shellcode Injection
- Malicious Behavior Detection Alert: Execution via Renamed Signed Binary Proxy
But, the initial infection vector and objectives of these attacks are still not clear, for now, what is clear is that the attackers have multiple malicious techniques to execute successful attacks.