The newly discovered BLISTER malware loader leverages valid code signing certificates to evade detection. Consequently, this sneaky threat continues to have a very low detection rate on VirusTotal.
BLISTER Malware Loader Active In The Wild
Researchers from Elastic Security have shared a detailed report elaborating on the newly discovered BLISTER malware loader.
As elaborated, the threat actors behind this new malware employ valid code signing certificates to sign the malware. This strategy helps the threat stay under the radar, which worked in the case of BLISTER malware too.
Adversaries can either steal legitimate code-signing certificates or purchase them from a certificate authority directly or through front companies. Executables with valid code signing certificates are often scrutinized to a lesser degree than unsigned executables.
In most cases, the researchers noticed the malware using valid signed certificates from Sectigo. Following this discovery, the researchers informed the CA so that they could revoke the certificate.
Regarding the malware loader, briefly, it applied various tactics to impart a harmless impression. For instance, it had some legitimate libraries, possibly to leave a harmless footprint on the disk.
After executing, the BLISTER loader decodes a heavily obfuscated bootstrapping code which initially sleeps, possibly to avoid detection. Then, the code deploys the final payload which, in most cases, the researcher noticed as CobaltStrike or BitRAT.
In the end, the malware replicates to the C:\ProgramData folder, together with a renamed copy of rundll32.exe to gain persistence.
The researchers have shared the technical details about the malware in their post.
Due to the stealthy nature of this malware loader, the exact identity of the threat actors and the malware’s entry points remain unclear.
Nonetheless, given the little to none detection rate, this campaign is another reason users should remain vigilant about such threats. Organizations need to stay cautious about system security against all external threats with vigilant scanning. Generally, detecting and patching vulnerabilities and securing unprotected endpoints are the key to preventing such risks.