According to researchers, evasive malware exploits valid code-signing certificates to evade security measures and deploy Cobalt Strike and BitRAT payloads through compromised systems.
Elastic Security experts have dubbed the binary “Blister,” with malware samples that have zero to negligible detections on VirusTotal. At the time of writing, the infection vector, as well as the ultimate objectives of the intrusion, are unknown.
One remarkable aspect of the attacks is that they rely on a valid code signing certificate issued by Sectigo. The malware has been observed to be signed by the certificate in question dating back to September 15, 2021. The company said that Elastic reached out to it to ensure that abused certificates were revoked.
“Code signed executables are often scrutinized less than unsigned executables,” Joe Desimone and Samir Bousseaden said. By using these tools, attackers can evade detection for longer periods of time and remain unseen.”
This malware masquerades as a legitimate library called “colorui.dll” and is distributed via a dropper known as “dxpo8umrzrr1w6gm.exe.” After being executed, the loader sleeps for 10 minutes, probably to evade sandbox analysis, before establishing persistence and decrypting an embedded malware payload such as Cobalt Strike.
The researchers noted that, once decrypted, the embedded payload is loaded into the current process or is injected into a newly spawned WerFault.exe [Windows Error Reporting] process.
You may also like
The Head of a forged SIM card racket is arrested by cyber police.
Youth arrested for posting women’s obscene photos on social media.
Someone is using your PAN card on the loan application. Dhani app loan fraud! so checks your credit score right now.
An elder man in Himachal Pradesh honey-trapped by cyber fraudsters.
Two new Mozilla Firefox 0-day bugs are being actively exploited – patch your browser today!