Recent research has unveiled an advanced malware campaign characterized by its use of legitimate code signing certificates to elude cybersecurity measures. This stealthy approach aims to deploy notorious payloads such as Cobalt Strike and BitRAT across compromised systems.
The loader, identified as “Blister” by Elastic Security experts, exhibits an alarming level of obscurity, as evidenced by its minimal detection rates on platforms like VirusTotal, where it boasts negligible to zero detections. However, the specific attack vector employed and the overarching aims of this incursion remain unidentified.
A particularly troubling detail of the campaign is its reliance on a valid code signing certificate issued by Sectigo. This certificate, dating back to September 15, 2021, has allowed the malicious payload to masquerade as a legitimate entity. Experts from Elastic have contacted Sectigo to request revocation of the compromised certificates.
Researchers Joe Desimone and Samir Bousseaden highlighted a critical vulnerability in this scenario, stating, “Executables with valid code signing certificates are often subjected to less scrutiny compared to their unsigned counterparts. Their validity provides attackers with a means to operate discreetly and evade detection for extended periods.”
The Blister malware masquerades as a legitimate library named “colorui.dll” and is delivered through a dropper identified as “dxpo8umrzrr1w6gm.exe.” Following its execution, the loader implements a 10-minute pause, likely to avoid detection by sandbox environments, before establishing persistence and decrypting an embedded payload like Cobalt Strike or BitRAT.
Once decrypted, the malicious payload is either loaded into the current process or injected into a newly created WerFault.exe (Windows Error Reporting) process as part of its execution strategy. Researchers have made additional indicators of compromise (IoCs) associated with this campaign available here.
