A new malware, dubbed “Blister,” by the Elastic Security team that identified it, is leveraging valid code-signing certificates in Windows systems, to avoid detection by antivirus software. The malware is named after one of its payloads, Blister, which further deploys second-stage payloads.

The threat actors orchestrating the Blister campaigns have been active since 15 September 2021, and have been using code-signing certificates that were validated on 23 August 2021. These certificates were issued by Sectigo to Blist LLC’s mail.ru email address. It is notable that mail.ru is a widely used Russian email service provider.  

The malware masquerades malicious components as genuine executable files, due to which it has a low detection rate. Apart from using code-signing certificates, the threat actors are also leveraging other techniques, such as binding Blister to a legitimate library on the infected system, to stay under the radar. 

Modus Operandi of the Blister Campaign

Threat actors are known to use code-signing to circumvent basic static security checks to compromise the victim systems. The Blister malware is no different in that it uses a Sectigo issued certificate to make the loader malware program look genuine to security products. It then deploys a Remote Access Trojan (RAT) on the target system to gain unauthorized access. 

A .dll file is used as a second stage payload to execute the encoded RAT/ CobaltStrike beacon. Since the .dll file has no malicious traces there have been very few detections on VirusTotal. However, the loader uses Rundll32.exe to execute the LaunchColorCpl function exported by the malicious .dll file. 

Leveraging Code-Signing Certificates to Avoid Detection

• The below image contains the details of the certificate to an entity called “Blist LLC”. It is common  for cybercriminals to either steal code-signing certificates from compromised targets, or to use a front company to obtain the certificate, to sign the malware with.

• Sectigo has since revoked the certificate issued to the binary. 

First Stage of Infection

Overview of the Loader

• The loader writes a malicious .dll file in a directory created inside the user Temp folder. 
• In one of the analysed samples, the malware created a folder named “goalgames” and inside it the loader dumped holorui.dll. 
• The .dll houses the code for deploying the RAT to gain unauthorized access to the infected system.

Step by Step Working of the Loader

• The Win32 API createDirectoryW is used to create a folder called “goalgames” in the path: C:\Users\<user>\AppData\Local\Temp directory. as shown below.

• Before dumping the .dll, the loader sets the working directory to C:\Users\<user>\AppData\Local\Temp\goalgames via Win32 API SetCurrentDirectoryW.

• After setting the working directory, the malware resolves the filename for the .dll file to holorui.dll and stores it in the register RCX, to later pass it to Win32 API CreateFileW.

• The file C:\Users\<user>\AppData\Local\Temp\goalgames\holorui.dll is created using the CreateFileW API. 

• Once the file is created, the malware starts writing the content to the file by iteratively transferring bytes from the .dll payload in the loader. The Win32 API WriteFile is used to write contents into holorui.dll.

• The malicious .dll is embedded in the initialized data segment of the PE executable of the loader and the bytes are transferred into C:\Users\<user>\AppData\Local\Temp\goalgames\holorui.dll.

• Upon closing the handle to the holorui.dll file, written on to the disk in the Temp directory, the malware finishes delivering the second stage payload. Then the file handles are closed by the malware.

• The successful delivery of the malicious .dll can be confirmed by analyzing the interaction of the malware on the system.

• Based on analysing multiple signed loader samples, we have enumerated following distinct directory and payload names used within different samples from the same campaign:
  • C:\Users\<user>\AppData\Local\Temp\goalgames\holorui.dll
  • C:\Users\<user>\AppData\Local\Temp\Framwork\axsssig.dll
  • C:\Users\<user>\AppData\Local\Temp\oarimgamings\holorui.dll
  • C:\Users\<user>\AppData\Local\Temp\guirtsframworks\Pasade.dll

Note: The content inside the .dll is the same despite having different names

Second Stage of Infection

• At the second stage of infection, the loader generates a command line to execute the function LaunchColorCpl exported  from the .dll, via Rundll32.exe on the infected system.

• A new process is created with the above command line to spawn a Rundll32 process via CreateProcessW Win32 API. 

• The newly spawned Rundll32.exe process is listed in the process listing on the infected machine. 

• The final payload is executed by the Rundll32.exe process.  

In the part 2 of this article we will cover the internal working of the .dll payload in detail.

Indicators of Compromise (IoCs)

FileHash-MD5

e6404260b4e42b7aa75bb0a96627ed3a	304921a919ab5228687a4932bb66fab9
db8827d0d7b2addc05719e407216da14	1b33c1f232b2ed68ac108519caa2d35f
755f50457416aeb7fee95a67abfea9fe	1896e6b20128e85a9851b94753eabbdf
6f76505a91c91c29238f0ed70b369417	a91ba8f4a339a98fa94e810831e83d96
5a7dea7aa86ccd600f5a97e3b53f7338	b8c9c560c6970a877a7ad359f37811d7
3efcd76417a185e48da71e22d230c547

FileHash-SHA1

f8fa1ba14df6f8ab2b307ee0ce04054ea9d538c0	77b11cc7fc02f2ece71c380afbed82a39df9b8fa
f534e15bbc104cafab80f954ba30f12de87b0f48	72134bbf433c51d475412d16ff7abb4ce2b08110
d58e06727c551756cbee1fc6539929553a09878b	4800d1f8e6ebc489c6c8a1d3a1f99b8339cf0980
c039362e891b01040c20e75e16b02169c512aebd	21799d1d30344428697f3a186733b283a993ac16
bb69d5da32164813be5af29d31edc951a8f1f088	871e52778597185f98eb0a57127024bcd094cf07
a492b5e329b55d4a0f66217e5352ab56fabacad1

FileHash-SHA256

fe7357d48906b68f094a81d19cc0ff93f56cc40454ac5f00e2e2d9c8ccdbc388	fa885e9ea1293552cb45a89e740426fa9c313225ff77ad1980dfea83b6c4a91c
f5104d0ead2f178711b1e23db3c16846de7d1a3ac04dbe09bacebb847775d76d	ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8
ed241c92f9bc969a160da2c4c0b006581fa54f9615646dd46467d24fe5526c7a	df8142e5cf897af65972041024ebe74c7915df0e18c6364c5fb9b2943426ed1a
d54dfedda0efa36ed445d501845b61ab73c2102786be710ac19f697fc8d4ca5c	d0f934fd5d63a1524616bc13b51ce274539a8ead9b072e7f7fe1a14bb8b927a6
cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028	cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46047446e9753a926
ca09d9cd2f3cfcc06b33eff91d55602cb33a66ab3fd4f540b9212fce5ddae54a	c61d2ba1e001c137533cd7fb6b38fe71fee489d61dbcfea45c37c5ec1bcf845c
c0f3b27ae4f7db457a86a38244225cca35aa0960eb6a685ed350e99a36c32b61	bee3210360c5d0939c5d38b7b9f0c232cf9fbf93b46a19e53930a1606bda28a5
ba3a50930e7a144637faf88a98f2990a27532bfd20a93dc160eb2db4fbc17b58	afb77617a4ca637614c429440c78da438e190dd1ca24dc78483aa731d80832c2
af555d61becfcf0c13d4bc8ea7ab97dcdc6591f8c6bb892290898d28ebce1c5d	a486e836026e184f7d3f30eaa4308e2f0c381c070af1f525118a484a987827c1
a34821b50aadee0dd85c382c43f44dae1e5fef0febf2f7aed6abf3f3e21f7994	9bccc1862e3e5a6c89524f2d76144d121d0ee95b1b8ba5d0ffcaa23025318a60
96bf7bd5f405d3b4c9a71bcd1060395f28f2466fdb91cafc6e261a31d41eb37a	9472d4cb393256a62a466f6601014e5cb04a71f115499c320dc615245c7594d4
923b2f90749da76b997e1c7870ae3402aba875fdbdd64f79cbeba2f928884129	8e22cf159345852be585bc5a8e9af476b00bc91cdda98fd6a3244219a90ac9d9
8ae2c205220c95f0f7e1f67030a9027822cc18e941b669e2a52a5dbb5af74bc9	8a414a40419e32282d33af3273ff73a596a7ac8738e9cdca6e7db0e41c1a7658
863228efa55b54a8d03a87bb602a2e418856e0028ae409357454a6303b128224	84a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc6652a5414dab440b74
81edf3a3b295b0189e54f79387e7df61250cc8eab4f1e8f42eb5042102df8f1f	7cd03b30cfeea07b5ea4c8976e6456cb65e09f6b8e7dcc68884379925681b1c4
7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f	6c6f808f9b19e1fab1c1b83dc99386f0ceee8593ddfd461ac047eae812df8733
696f6274af4b9e8db4727269d43c83c350694bd1ef4bd5ccdc0806b1f014568a	56ca9ea3f7870561ed3c6387daf495404ed3827f212472501d2541d5ccf8b941
5651e8a8e6f9c63c4c1162efadfcb4cdd9ad634c5e00a5ab03259fcdeaa225ac	516cac58a6bfec5b9c214b6bba0b724961148199d32fb42c01b12ac31f6a6099
4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5	44e5770751679f178f90ef7bd57e8e4ccfb6051767d8e906708c52184bf27f32
3c7480998ade344b74e956f7d3a3f1a989aaf43446163a62f0a8ed34b0c010d0	359ffa33784cb357ddabc42be1dcb9854ddb113fd8d6caf3bf0391380f9d640a
2d049f7658a8dccd930f7010b32ed1bc9a5cc0f8109b511ca2a77a2104301369	294c710f4074b37ade714c83b6b7bf722a46aef61c02ba6543de5d59edc97b60
25a0d6a839c4dc708dcdd1ef9395570cc86d54d4725b7daf56964017f66be3c1	216cb4f2caeaf59f297f72f7f271b084637e5087d59411ac77ddd3b87e7a90aa
1a10a07413115c254cb7a5c4f63ff525e64adfe8bb60acef946bb7656b7a2b3d	17ea84d547e97a030d2b02ac2eaa9763ffb4f96f6c54659533a23e17268aabab
00eb2f75822abeb2e222d007bdec464bfbc3934b8be12983cc898b37c6ace081	0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00

Domains

• discountshadesdirect.com
• domain clippershipintl.com
• domain bimelectrical.com

IPv4

• 93.115.18.248
• 188.68.221.203
• 185.170.213.186

Signed loaders

• ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8
• cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46047446e9753a926
• 7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f
• 84a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc6652a5414dab440b74
• cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028
• 9472d4cb393256a62a466f6601014e5cb04a71f115499c320dc615245c7594d4
• 4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5
• 1a10a07413115c254cb7a5c4f63ff525e64adfe8bb60acef946bb7656b7a2b3d
• 9bccc1862e3e5a6c89524f2d76144d121d0ee95b1b8ba5d0ffcaa23025318a60
• 8a414a40419e32282d33af3273ff73a596a7ac8738e9cdca6e7db0e41c1a7658
• 923b2f90749da76b997e1c7870ae3402aba875fdbdd64f79cbeba2f928884129
• ed241c92f9bc969a160da2c4c0b006581fa54f9615646dd46467d24fe5526c7a
• 294c710f4074b37ade714c83b6b7bf722a46aef61c02ba6543de5d59edc97b60

DLL

• BE7E259D5992180EADFE3F4F3AB1A5DECC6A394DF60C7170550B3D222FCE5F19