Researchers have recently discovered a stealthy malware campaign that targets computers using the Windows operating systems. It consists of a loader known as Blister and various malware that it installs onto the target computers. Blister uses a variety of techniques to remain hidden like disguising malware as legitimate executables and using valid code-signing certificates.
Security researchers from Elastic Security report that the Blister campaign has been running since at least September 15, 2021 and is still ongoing. The malware samples they have identified so far have very low detection profiles with antivirus engines running on the VirusTotal virus scanning service, and some samples have no profile at all. Blister uses a code-signing certificate issued by digital identity provider Sectigo that’s valid from August 23. Sectigo issued the certificate for Blist LLC, which uses an email address from the Russian email provider Mail.Ru. Elastic stated that it reported the abused certificate to Sectigo in December so it could be revoked.
Techniques
Using valid certificates to make malware appear as legitimate software is a technique that malicious actors have been using for decades. They originally acquired these certificates by stealing them from legitimate companies. However, today’s actors typically obtain their own valid certificates based on the details of a front business or a legitimate firm they’ve already compromised. Researchers have also discovered unsigned versions of the Blister loader.
The actors who launched the Blister campaign used multiple techniques to prevent their attacks from being detected. For example, they embedded their malware in a legitimate library like colorui.dll. Once it was in the library, the attackers used the rundll32 command to execute the malware with elevated privileges. Blister malware is then able to avoid detection by antimalware solutions because it’s signed with a valid certificate and running with administrator privileges.
The next step in the Blister campaign is to decode “heavily obfuscated” bootstrapping code from its resource section. The code remains dormant for ten minutes, probably to avoid detection from sandbox analysis. It then decrypts its payloads, which include BitRAT and Cobalt Strike. These programs are well known to analysts, and perform functions such as providing actors with remote access to the target computer so they can move through it laterally. Blister achieves persistence by making copies of itself in the ProgramData folder and the startup location. It also poses as rundll32.exe, ensuring it launches each time the system boots as a child of explorer.exe.
Prevention
Elastic has created a YARA rule to identify Blister and provide evidence of infection, which can help organizations defend against it. YARA is a tool that uses a rules-based approach towards detecting malware that creates descriptions of malware. These descriptions are based on binary and textual patterns in the malware’s code and use Boolean expressions to combine patterns. YARA expressions are similar to Perl regular expressions.
Analysts also recommend monitoring networks for malicious behavior, regardless of whether the behavior specifically matches a known malware profile. Organizations should implement methods of detecting this type of behavior continuously and automatically. Standard practices such as verifying the source of email before opening attachments or clicking on links in the message still apply to avoiding infection by Blister.
The ultimate objective of the Blister campaign remains unclear. However, the threat actors are using techniques that greatly increase their chances of success. The combined techniques of embedding malware in legitimate libraries, using valid code-signing certificates and executing payloads in memory render traditional antivirus solutions largely ineffective.
Data Security Breach flickr photo by Visual Content shared under a Creative Commons (BY) license