Nasty new malware strain creeps quietly past Windows defenses

Malware
(Image credit: solarseven / Shutterstock)

Security researchers have identified a new malware campaign that leverages code signing certificates and other techniques to help it avoid detection by antivirus software.

According to a new blog post from Elastic Security, the cybersecurity firm's researchers identified a cluster of malicious activity after reviewing its threat prevention telemetry.

The cybercriminals behind this new campaign are using valid code signing certificates to sign malware to help them remain under the radar of the security community. However, Elastic Security also discovered a new malware loader used in the campaign that it has named Blister.

Due to the use of valid code signing certificates and other measures taken to avoid detection, the cybercriminals responsible have been running this new campaign for at least three months.

Blister malware

The cybercriminals are using a code signing certificate issued by the digital identity firm Sectigo for a company called Blist LLC which is why Elastic Security gave their malware loader the name Blister. They may also be operating out of Russia as they are using Mail.Ru as their email service.

In addition to using a valid code signing certificate, the cybercriminals also relied on other techniques to remain undetected including embedding the Blister malware into a legitimate library. After being executed with elevated privileges by using the rundll32 command, the malware decodes bootstrapping code that is heavily obfuscated and stored in the resource section. From here, the code remains dormant for ten minutes to evade sandbox analysis.

Once enough time has passed, the malware starts up and begins decrypting embedded payloads that allow it to access a Windows system remotely and move laterally across a victim's network. Blister also achieves persistence on an infected machine by storing a copy in the ProgramData folder as well as another posing as rundll32.exe. To make matters worse, the malware is added to a system's startup location so it launches every time a machine boots.

Elastic Security has notified Sectigo to have Blister's code signing certificate revoked though the firm has also created a Yara rule to help organization's identify the new malware.

In an email to TechRadar Pro, Chief Compliance Officer at Sectigo, Tim Callan provided further details on the matter, saying:

“During the week of December 21, 2021, Sectigo was made aware of a code-signing certificate being used by the threat actor behind the recently discovered BLISTER malware. Upon discovering the issue, Sectigo immediately revoked the compromised certificate.

As one of the longest-standing publicly trusted Certificate Authorities, Sectigo takes careful precautions to ensure that every certificate we issue follows the guidelines set by the CA/Browser forum. Sectigo does not regulate, control, or monitor the business practices of any operator, nor do our services relate in any way whatsoever with the content distributed by a particular operator.” 

We've also featured the best malware removal software, best antivirus and best endpoint protection software

Via Bleeping Computer

TOPICS
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Mustang Panda
Chinese hackers abuse Microsoft tool to get past antivirus and cause havoc
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
A hacker typing on a MacBook laptop with code on the screen.
This devious phishing site repurposes legitimate web elements like CAPTCHA pages for malware distribution
Trojan
Hackers hide malware into website images to go unnoticed
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Ray-Ban smart glasses with the Cpperni logo, an LED array, and a MacBook Air with M4 next to ecah other.
ICYMI: the week's 7 biggest tech stories from Twitter's massive outage to iRobot's impressive new Roombas
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today