According to researchers, evasive malware exploits valid code-signing certificates to evade security measures and deploy Cobalt Strike and BitRAT payloads through compromised systems.
Elastic Security experts have dubbed the binary “Blister,” with malware samples that have zero to negligible detections on VirusTotal. At the time of writing, the infection vector, as well as the ultimate objectives of the intrusion, are unknown.
One remarkable aspect of the attacks is that they rely on a valid code signing certificate issued by Sectigo. The malware has been observed to be signed by the certificate in question dating back to September 15, 2021. The company said that Elastic reached out to it to ensure that abused certificates were revoked.
“Code signed executables are often scrutinized less than unsigned executables,” Joe Desimone and Samir Bousseaden said. By using these tools, attackers can evade detection for longer periods of time and remain unseen.”
This malware masquerades as a legitimate library called “colorui.dll” and is distributed via a dropper known as “dxpo8umrzrr1w6gm.exe.” After being executed, the loader sleeps for 10 minutes, probably to evade sandbox analysis, before establishing persistence and decrypting an embedded malware payload such as Cobalt Strike.
The researchers noted that, once decrypted, the embedded payload is loaded into the current process or is injected into a newly spawned WerFault.exe [Windows Error Reporting] process.