New BLISTER Malware Using Code Signing Certificates to Evade Detection

OO7:_trusted_user::_male::_junkie::_sun:Posted at 2021-12-24 09:17:40(152Wks ago) Report Permalink URL 
Reppoints: 150
Posts: 274
Uploads: 0

Image error


Cybersecurity researchers have disclosed details of an evasive malware campaign that makes use of valid code signing certificates to sneak past security defenses and stay under the radar with the goal of deploying Cobalt Strike and BitRAT payloads on compromised systems.

The binary, a loader, has been dubbed "Blister" by researchers from Elastic Security, with the malware samples having negligible to zero detections on VirusTotal. As of writing, the infection vector used to stage the attack, as well as the ultimate objectives of the intrusion, remains unknown.

A notable aspect of the attacks is that they leverage a valid code signing certificate issued by Sectigo. The malware has been observed signed with the certificate in question dating back to September 15, 2021. Elastic said it reached out to the company to ensure that the abused certificates are revoked.

"Executables with valid code signing certificates are often scrutinized to a lesser degree than unsigned executables," researchers Joe Desimone and Samir Bousseaden said. "Their use allows attackers to remain under the radar and evade detection for a longer period of time."

Image error


Blister masquerades as a legitimate library called "colorui.dll" and is delivered via a dropper named "dxpo8umrzrr1w6gm.exe." Post execution, the loader is designed to sleep for 10 minutes, likely in an attempt to evade sandbox analysis, only to follow it up by establishing persistence and decrypting an embedded malware payload such as Cobalt Strike or BitRAT.

"Once decrypted, the embedded payload is loaded into the current process or injected into a newly spawned WerFault.exe [Windows Error Reporting] process," the researchers noted. Additional indicators of compromise (IoCs) associated with the campaign can be accessed here.

Source: https://thehackernews.com/2021/12/new-blister-malware-using-code-signing.html

 
Post liked by - Ange1:_moderator::_female:, ROBBREDD:_moderator::_male::_sitelover::_junkie::_sun:, tg4ever:_trusted_user::_sitelover::_junkie:, MadWatchdog:_moderator:
tg4ever:_trusted_user::_sitelover::_junkie:Posted at 2021-12-25 17:16:39(151Wks ago) Report Permalink URL 
Reppoints: 110
Posts: 154
Uploads: 0

I wonder how much of such stuff is already out there like even by CIA or other gov agencies. That is unknown and spying on us every minute of the day.

 
Post liked by - Ange1:_moderator::_female:, ROBBREDD:_moderator::_male::_sitelover::_junkie::_sun:, Superbikemike:_moderator::_turtle: