Cybersecurity researchers disclosed details of a malware evasion campaign that used valid code signing certificates to sneak into security defenses and stay under the radar, with the goal of deploying Cobalt Strike and BitRAT payloads on infected systems.
The binary loader is called “Blister” by Elastic Security researchers, and the malware samples have negligible arrive zero Detection on VirusTotal. At the time of writing, the infection vector used to launch the attack and the ultimate goal of the invasion are still unknown.
A notable aspect of the attacks is that they utilize valid code signing certificates issued by Setigo. The malware has been observed to be signed with a related certificate dating back to September 15, 2021. Elastic stated that it has contacted the company to ensure that the abused certificate is revoked.
“Compared to unsigned executable files, executable files with valid code signing certificates are generally less censored,” researchers Joe Desimone and Samir Bousseaden Say“Their use allows attackers to stay under the radar and evade detection for a longer period of time.”
Blister disguised as a “Color file“And delivered through a dropper named “dxpo8umrzrr1w6gm.exe.” After execution, the loader is designed to sleep for 10 minutes, possibly to avoid sandbox analysis, just by establishing persistence and decrypting embedded malware payloads (such as Cobalt Strike or Bit rate.
“Once decrypted, the embedded payload will be loaded into the current process or injected into the newly generated WerFault.exe [Windows Error Reporting] Process,” the researcher pointed out. Other indicators of compromise (IoC) related to the activity can be accessed here.
