New strain of malicious malware quietly sneaks past Windows defenses


Security researchers have identified a new malware campaign that exploits code signing certificates and other techniques to help it avoid detection by antivirus software.

According to a new blog post from Elastic Security, researchers at the cybersecurity company have identified a cluster of malicious activity after examining its threat prevention telemetry.

The cybercriminals behind this new campaign are using valid code signing certificates to sign malware to help them stay under the radar of the security community. However, Elastic Security also discovered a new malware loader used in the campaign it named Blister.

Due to the use of valid code signing certificates and other measures taken to avoid detection, the responsible cybercriminals have been running this new campaign for at least three months.

Blister malware

Cybercriminals are using a code signing certificate issued by digital identity company Sectigo for a company called Blist LLC, which is why Elastic Security gave its malware loader the name Blister. They can also operate from Russia as they use Mail.Ru as their courier service.

In addition to using a valid code signing certificate, cybercriminals also relied on other techniques to remain undetected, including embedding the Blister malware into a legitimate library. After being executed with elevated privileges using the rundll32 command, the malware decodes the boot code which is heavily obfuscated and stored in the resource section. From there, the code stays on standby for ten minutes to escape sandbox analysis.

Once enough time has passed, the malware boots up and begins decrypting the built-in payloads that allow it to access a Windows system remotely and roam sideways across a victim’s network. Blister also achieves persistence on an infected machine by storing a copy in the ProgramData folder along with another that looks like rundll32.exe. To make matters worse, the malware is added to a system’s startup location so that it launches each time a machine boots.

Elastic Security notified Sectigo of the revocation of Blister’s code signing certificate, although the company also created a Yara rule to help the organization identify the new malware.

We also presented the best malware removal software, best antivirus and best endpoint protection software

Via computer beep


Comments are closed.