Cybersecurity researchers have revealed details of an evasive malware campaign that uses valid code signing certificates to bypass security defences and remain undetected, with the purpose of distributing Cobalt Strike and BitRAT payloads on infected systems. Elastic Security researchers dubbed the binary, a loader, "Blister," and the malware samples had negligible to zero detections on VirusTotal. The infection vector utilized to stage the attack, as well as the eventual goals of the infiltration, are unknown.
A notable aspect of the attacks is that they make use of a legitimate Sectigo code signing certificate. The malware has been seen signed with the certificate in question since September 15, 2021. Elastic stated that it has contacted the company in order to get the exploited certificates revoked. "Executables with valid code signing certificates are often scrutinized to a lesser degree than unsigned executables," researchers Joe Desimone and Samir Bousseaden said. "Their use allows attackers to remain under the radar and evade detection for a longer period of time."
Another intriguing component of this campaign is what looks to be a novel malware loader with few VirusTotal detections. It's known as the BLISTER loader. The loader is likely spliced into genuine libraries like colorui.dll to guarantee that the majority of the on-disk footprint contains known-good code and metadata. The loader can be written to disc from simple dropper executables at first. One such dropper saves a signed BLISTER loader to %temp%\Framwork\axsssig.dll and runs it with rundll32. BLISTER's LaunchColorCpl is a popular DLL export and entry point name.
BLISTER uses a basic 4-byte XOR routine to decode bootstrapping code stored in the resource area when it is run. The bootstrapping code is extensively obfuscated and sleeps for 10 minutes at first. This is almost certainly an attempt to avoid sandbox analysis. It decrypts the embedded malware payload after the delay. CobaltStrike and BitRat have been identified as embedded malware payloads by researchers. When the embedded payload is decoded, it is either loaded into the current process or injected into a newly generated WerFault.exe process.
Elastic Security has alerted Sectigo that Blister's code signing certificate has been revoked; nonetheless, the company has also produced a Yara rule to assist organizations in identifying the new malware.