Elastic experts have identified a new Blister malware that uses a legal certificate issued at the request of a Russian company. Blister is stealthy, and so far only very few antivirus engines can detect it.
Elastic security experts have identified a malicious campaign centered around the highly secretive Blister malware used to download other malware. Blister uses valid security certificates to disguise malicious code as legitimate executable files.
In particular, a certificate issued on August 23, 2021 by the certification center of the American information security company Sectigo for BlistLLC is used. Blist’s declared mailing address is located in the bk.ru domain (refers to Mail.ru) – [email protected]
Using valid certificates to sign malware is nothing new; cybercriminals have been using this trick for many years. Usually, however, certificates are stolen.
In this case, a certificate was requested on behalf of an already compromised company or a specially created front organization.
Stealthy malware uses a legitimate certificate to infiltrate systems
In Kazan, LLC “Blist” is indeed registered, but its e-mail address cannot be found in public resources, so it is definitely impossible to say that this is the same company.
Stealth is second nature
A legitimate certificate isn’t Blister’s only stealth trick. The researchers found that the malware can be embedded in legitimate DLLs, such as colorui.dll, and run through rundll32 with elevated privileges. If you have a legitimate certificate, launched with administrator privileges, the malware can easily bypass the system’s defenses.
After the initial infiltration, Blister decrypts the additional boot code, which remains inactive for ten minutes. Apparently, this was done in order to insure against interception and analysis in the “sandbox”. This code is characterized by a high level of obfuscation (obfuscation).
When this code does run, it unpacks two well-known tools to provide remote access and stealth travel over compromised networks – Cobalt Strike and BitRAT.
The persistence of the presence of malware is ensured by copying itself into several directories on the disk, in particular in ProgramData. In addition, it creates a fake rundll.exe file. At each boot, the malware is launched as a child explorer.exe process.
Elastic experts noted that, in addition to the Blister versions signed with a valid certificate, they also came across unsigned versions. Both are very rarely detected by antivirus tools – on VirusTotal, only two out of 67 engines presented there correctly identified the compromised colorui.dll as a malicious program.
“Most likely, the purpose of Blister as such is to compromise and covert intelligence of corporate networks, into which an encryptor or some advanced spyware can then be launched,” he said. Nikita Pavlov, an information security expert at SEQ. “It is a concern that too few defenses are identifying this malware, but this is likely to change very soon.”