Stealthy BLISTER Malware Strain Detected on Windows Systems

Security experts detected a malware campaign this week that cloaks malicious components as genuine executable files by using valid code-signing certificates on Windows systems.

One of the payloads detected, named Blister, appears to be a loader for other strains of malware. Blister seems to be a novel cyber threat and has a low detection rate.

The cybercriminals behind the Blister malware are using various techniques to keep a low profile but relying on valid code-signing certificates seems to be the ace up their sleeve.

The Blister threat actors have been running malicious campaigns since Sept. 15 using code-signing certificates that were validated since Aug. 23, according to a security report.

Furthermore, the attackers’ certificate was issued for a company named Blist LLC using an email address registered on Russian email service provider Mail.Ru.

The perpetrators reportedly used a plethora of techniques to mask the attack. One of the most notable ways was to bind Blister to a legitimate library on the system, to keep the detection rate at a minimum.

After the embedding of the malware, attackers would execute it with Administrator privileges using the rundll32 command. This dangerous combo of valid certificates and elevated rights would let malicious components such as Blister slip undetected through defensive systems.

As a next step, the malware starts to decode bootstrapping code from the resource section. It’s worth mentioning that the code is heavily obfuscated and stays dormant for 10 minutes after it’s decoded.

Following the delay, Blister decrypts embedded malware payloads such as BitRat and CobaltStrike, both of which are historically known to help attackers achieve remote access and lateral movement in compromised systems.

Ultimately, the malware achieves persistence on the system by replicating itself into the C:\ProgramData folder and generating a renamed local copy of rundll32.exe. More so, Blister sets itself to launch at login as a child of explorer.exe by creating a link in the current user’s Startup folder.

Relying on valid code-signing certificates to disguise malware as legitimate files is not a new technique. In the past, perpetrators were known to steal certificates from legitimate companies. Nowadays, attackers merely use the details of compromised companies to request valid certificates.