🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
A new malware, dubbed “Blister,” by the Elastic Security team that identified it, is leveraging valid code-signing certificates in Windows systems, to avoid detection by antivirus software. The malware is named after one of its payloads, Blister, which further deploys second-stage payloads.
The threat actors orchestrating the Blister campaigns have been active since 15 September 2021, and have been using code-signing certificates that were validated on 23 August 2021. These certificates were issued by Sectigo to Blist LLC’s mail.ru email address. It is notable that mail.ru is a widely used Russian email service provider.
The malware masquerades malicious components as genuine executable files, due to which it has a low detection rate. Apart from using code-signing certificates, the threat actors are also leveraging other techniques, such as binding Blister to a legitimate library on the infected system, to stay under the radar.
Modus Operandi of the Blister Campaign
Threat actors are known to use code-signing to circumvent basic static security checks to compromise the victim systems. The Blister malware is no different in that it uses a Sectigo issued certificate to make the loader malware program look genuine to security products. It then deploys a Remote Access Trojan (RAT) on the target system to gain unauthorized access.
A .dll file is used as a second stage payload to execute the encoded RAT/ CobaltStrike beacon. Since the .dll file has no malicious traces there have been very few detections on VirusTotal. However, the loader uses Rundll32.exe to execute the LaunchColorCpl function exported by the malicious .dll file.
Leveraging Code-Signing Certificates to Avoid Detection
- The below image contains the details of the certificate to an entity called “Blist LLC”. It is common for cybercriminals to either steal code-signing certificates from compromised targets, or to use a front company to obtain the certificate, to sign the malware with.
- Sectigo has since revoked the certificate issued to the binary.
First Stage of Infection
Overview of the Loader
- The loader writes a malicious .dll file in a directory created inside the user Temp folder.
- In one of the analysed samples, the malware created a folder named “goalgames” and inside it the loader dumped holorui.dll.
- The .dll houses the code for deploying the RAT to gain unauthorized access to the infected system.
Step by Step Working of the Loader
- The Win32 API createDirectoryW is used to create a folder called “goalgames” in the path: C:\Users\<user>\AppData\Local\Temp directory. as shown below.
- Before dumping the .dll, the loader sets the working directory to C:\Users\<user>\AppData\Local\Temp\goalgames via Win32 API SetCurrentDirectoryW.
- After setting the working directory, the malware resolves the filename for the .dll file to holorui.dll and stores it in the register RCX, to later pass it to Win32 API CreateFileW.
- The file C:\Users\<user>\AppData\Local\Temp\goalgames\holorui.dll is created using the CreateFileW API.
- Once the file is created, the malware starts writing the content to the file by iteratively transferring bytes from the .dll payload in the loader. The Win32 API WriteFile is used to write contents into holorui.dll.
- The malicious .dll is embedded in the initialized data segment of the PE executable of the loader and the bytes are transferred into C:\Users\<user>\AppData\Local\Temp\goalgames\holorui.dll.
- Upon closing the handle to the holorui.dll file, written on to the disk in the Temp directory, the malware finishes delivering the second stage payload. Then the file handles are closed by the malware.
- The successful delivery of the malicious .dll can be confirmed by analyzing the interaction of the malware on the system.
- Based on analysing multiple signed loader samples, we have enumerated following distinct directory and payload names used within different samples from the same campaign:
- C:\Users\<user>\AppData\Local\Temp\goalgames\holorui.dll
- C:\Users\<user>\AppData\Local\Temp\Framwork\axsssig.dll
- C:\Users\<user>\AppData\Local\Temp\oarimgamings\holorui.dll
- C:\Users\<user>\AppData\Local\Temp\guirtsframworks\Pasade.dll
Note: The content inside the .dll is the same despite having different names
Second Stage of Infection
- At the second stage of infection, the loader generates a command line to execute the function LaunchColorCpl exported from the .dll, via Rundll32.exe on the infected system.
- A new process is created with the above command line to spawn a Rundll32 process via CreateProcessW Win32 API.
- The newly spawned Rundll32.exe process is listed in the process listing on the infected machine.
- The final payload is executed by the Rundll32.exe process.
In the part 2 of this article we will cover the internal working of the .dll payload in detail.
Indicators of Compromise (IoCs)
FileHash-MD5
| e6404260b4e42b7aa75bb0a96627ed3a | 304921a919ab5228687a4932bb66fab9 |
| db8827d0d7b2addc05719e407216da14 | 1b33c1f232b2ed68ac108519caa2d35f |
| 755f50457416aeb7fee95a67abfea9fe | 1896e6b20128e85a9851b94753eabbdf |
| 6f76505a91c91c29238f0ed70b369417 | a91ba8f4a339a98fa94e810831e83d96 |
| 5a7dea7aa86ccd600f5a97e3b53f7338 | b8c9c560c6970a877a7ad359f37811d7 |
| 3efcd76417a185e48da71e22d230c547 |
FileHash-SHA1
FileHash-SHA256
| fe7357d48906b68f094a81d19cc0ff93f56cc40454ac5f00e2e2d9c8ccdbc388 | fa885e9ea1293552cb45a89e740426fa9c313225ff77ad1980dfea83b6c4a91c |
| f5104d0ead2f178711b1e23db3c16846de7d1a3ac04dbe09bacebb847775d76d | ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8 |
| ed241c92f9bc969a160da2c4c0b006581fa54f9615646dd46467d24fe5526c7a | df8142e5cf897af65972041024ebe74c7915df0e18c6364c5fb9b2943426ed1a |
| d54dfedda0efa36ed445d501845b61ab73c2102786be710ac19f697fc8d4ca5c | d0f934fd5d63a1524616bc13b51ce274539a8ead9b072e7f7fe1a14bb8b927a6 |
| cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028 | cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46047446e9753a926 |
| ca09d9cd2f3cfcc06b33eff91d55602cb33a66ab3fd4f540b9212fce5ddae54a | c61d2ba1e001c137533cd7fb6b38fe71fee489d61dbcfea45c37c5ec1bcf845c |
| c0f3b27ae4f7db457a86a38244225cca35aa0960eb6a685ed350e99a36c32b61 | bee3210360c5d0939c5d38b7b9f0c232cf9fbf93b46a19e53930a1606bda28a5 |
| ba3a50930e7a144637faf88a98f2990a27532bfd20a93dc160eb2db4fbc17b58 | afb77617a4ca637614c429440c78da438e190dd1ca24dc78483aa731d80832c2 |
| af555d61becfcf0c13d4bc8ea7ab97dcdc6591f8c6bb892290898d28ebce1c5d | a486e836026e184f7d3f30eaa4308e2f0c381c070af1f525118a484a987827c1 |
| a34821b50aadee0dd85c382c43f44dae1e5fef0febf2f7aed6abf3f3e21f7994 | 9bccc1862e3e5a6c89524f2d76144d121d0ee95b1b8ba5d0ffcaa23025318a60 |
| 96bf7bd5f405d3b4c9a71bcd1060395f28f2466fdb91cafc6e261a31d41eb37a | 9472d4cb393256a62a466f6601014e5cb04a71f115499c320dc615245c7594d4 |
| 923b2f90749da76b997e1c7870ae3402aba875fdbdd64f79cbeba2f928884129 | 8e22cf159345852be585bc5a8e9af476b00bc91cdda98fd6a3244219a90ac9d9 |
| 8ae2c205220c95f0f7e1f67030a9027822cc18e941b669e2a52a5dbb5af74bc9 | 8a414a40419e32282d33af3273ff73a596a7ac8738e9cdca6e7db0e41c1a7658 |
| 863228efa55b54a8d03a87bb602a2e418856e0028ae409357454a6303b128224 | 84a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc6652a5414dab440b74 |
| 81edf3a3b295b0189e54f79387e7df61250cc8eab4f1e8f42eb5042102df8f1f | 7cd03b30cfeea07b5ea4c8976e6456cb65e09f6b8e7dcc68884379925681b1c4 |
| 7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f | 6c6f808f9b19e1fab1c1b83dc99386f0ceee8593ddfd461ac047eae812df8733 |
| 696f6274af4b9e8db4727269d43c83c350694bd1ef4bd5ccdc0806b1f014568a | 56ca9ea3f7870561ed3c6387daf495404ed3827f212472501d2541d5ccf8b941 |
| 5651e8a8e6f9c63c4c1162efadfcb4cdd9ad634c5e00a5ab03259fcdeaa225ac | 516cac58a6bfec5b9c214b6bba0b724961148199d32fb42c01b12ac31f6a6099 |
| 4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5 | 44e5770751679f178f90ef7bd57e8e4ccfb6051767d8e906708c52184bf27f32 |
| 3c7480998ade344b74e956f7d3a3f1a989aaf43446163a62f0a8ed34b0c010d0 | 359ffa33784cb357ddabc42be1dcb9854ddb113fd8d6caf3bf0391380f9d640a |
| 2d049f7658a8dccd930f7010b32ed1bc9a5cc0f8109b511ca2a77a2104301369 | 294c710f4074b37ade714c83b6b7bf722a46aef61c02ba6543de5d59edc97b60 |
| 25a0d6a839c4dc708dcdd1ef9395570cc86d54d4725b7daf56964017f66be3c1 | 216cb4f2caeaf59f297f72f7f271b084637e5087d59411ac77ddd3b87e7a90aa |
| 1a10a07413115c254cb7a5c4f63ff525e64adfe8bb60acef946bb7656b7a2b3d | 17ea84d547e97a030d2b02ac2eaa9763ffb4f96f6c54659533a23e17268aabab |
| 00eb2f75822abeb2e222d007bdec464bfbc3934b8be12983cc898b37c6ace081 | 0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00 |
Domains
- discountshadesdirect.com
- domain clippershipintl.com
- domain bimelectrical.com
IPv4
- 93.115.18.248
- 188.68.221.203
- 185.170.213.186
Signed loaders
- ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8
- cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46047446e9753a926
- 7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f
- 84a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc6652a5414dab440b74
- cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028
- 9472d4cb393256a62a466f6601014e5cb04a71f115499c320dc615245c7594d4
- 4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5
- 1a10a07413115c254cb7a5c4f63ff525e64adfe8bb60acef946bb7656b7a2b3d
- 9bccc1862e3e5a6c89524f2d76144d121d0ee95b1b8ba5d0ffcaa23025318a60
- 8a414a40419e32282d33af3273ff73a596a7ac8738e9cdca6e7db0e41c1a7658
- 923b2f90749da76b997e1c7870ae3402aba875fdbdd64f79cbeba2f928884129
- ed241c92f9bc969a160da2c4c0b006581fa54f9615646dd46467d24fe5526c7a
- 294c710f4074b37ade714c83b6b7bf722a46aef61c02ba6543de5d59edc97b60
DLL
- BE7E259D5992180EADFE3F4F3AB1A5DECC6A394DF60C7170550B3D222FCE5F19