Cybersecurity researchers from Elastic Security uncovered a new malware campaign exploiting valid code signing certificates to evade security defenses and deploy a novel malware loader dubbed Blister. The researchers stated the stealthy malware campaign leverages Blister payload to execute second stage malware payloads in memory and maintain persistence. In addition, the campaign also deploys Cobalt Strike and BitRAT payloads on the targeted networks. The identified malware samples have very low or no detections on VirusTotal.
“In one prevented attack, our malicious behavior prevention triggered multiple high-confidence alerts for Execution via Renamed Signed Binary Proxy, Windows Error Manager/Reporting Masquerading, and Suspicious PowerShell Execution via Windows Scripts. Further, our memory threat prevention identified and stopped BLISTER from injecting its embedded payload to target processes,” the researchers said.
It’s found that the Blister malware campaign is using a valid code signing certificate issued by Sectigo. Threat actors can either steal legitimate code-signing certificates or purchase them from a certificate authority directly or through front companies. The researchers stated they’d notified the malware activity to Sectigo to take action and revoke the abused certificates.
“Executables with valid code signing certificates are often scrutinized to a lesser degree than unsigned executables. Their use allows attackers to remain under the radar and evade detection for a longer period of time. Once decrypted, the embedded payload is loaded into the current process or injected into a newly spawned WerFault.exe [Windows Error Reporting] process,” the researchers added.
Old Malware Variants Resurfaces
It has become common for malware authors to leverage old malware variants to create a new one. Recently, security experts from Pradeo uncovered a malicious mobile app available for download on Google Play, which more than 500,000 Android users installed. The malicious app, dubbed Color Message, reportedly infects the targeted devices with Joker malware. The application is suspected to be linked to Russian servers.
The Joker malware, which first surfaced in 2017, is categorized as fleeceware. It was one of the most commonly infected types of Android malware used in carrying-out billing frauds and spying. It was extensively used in stealing SMS messages, contact lists, and device information. Since then, the Joker malware has been prevalent in several cybercriminal activities under various names.