Elastic Security uncovers BLISTER malware campaign

blog-security-timeseries-radar-720x420.png

Key takeaways:

  • Elastic Security uncovered a stealthy malware campaign that leverages valid code signing certificates to evade detection
  • A novel malware loader, BLISTER was used to execute second stage malware payloads in-memory and maintain persistence
  • The identified malware samples have very low or no detections on VirusTotal
  • Elastic provided layered prevention coverage from this threat out of the box

Overview


The Elastic Security team identified a noteworthy cluster of malicious activity after reviewing our threat prevention telemetry. A valid code signing certificate is used to sign malware to help the attackers remain under the radar of the security community. We also discovered a novel malware loader used in the campaign, which we’ve named BLISTER. The majority of the malware samples observed have very low, or no, detections in VirusTotal. The infection vector and goals of the attackers remain unknown at this time.

Elastic’s layered approach to preventing attacks protects from this and similar threats.

In one prevented attack, our malicious behavior prevention triggered multiple high-confidence alerts for Execution via Renamed Signed Binary Proxy, Windows Error Manager/Reporting Masquerading, and Suspicious PowerShell Execution via Windows Scripts. Further, our memory threat prevention identified and stopped BLISTER from injecting its embedded payload to target processes.

Finally, we have additional coverage from our open source detection engine rules [1] [2]. To ensure coverage for the entire community, we are including YARA rules and IoCs to help defenders identify impacted systems.

Details

Certificate abuse

A key aspect of this campaign is the use of a valid code signing certificate issued by Sectigo. Adversaries can either steal legitimate code-signing certificates or purchase them from a certificate authority directly or through front companies. Executables with valid code signing certificates are often scrutinized to a lesser degree than unsigned executables. Their use allows attackers to remain under the radar and evade detection for a longer period of time.

We responsibly disclosed the activity to Sectigo so they could take action and revoke the abused certificates. Below shows details about the compromised certificate. We have observed malware signed with this certificate as early as September 15, 2021.

Issuer: Sectigo Public Code Signing CA R36
Issued to: Blist LLC
Serial number: 2f4a25d52b16eb4c9dfe71ebbd8121bb
Valid from: ‎Monday, ‎August ‎23, ‎2021 4:00:00 PM
Valid to: ‎Wednesday, ‎August ‎24, ‎2022 3:59:59 PM

BLISTER malware loader

Another interesting aspect of this campaign is what appears to be a novel malware loader with limited detections in VirusTotal. We refer to it as the BLISTER loader. The loader is spliced into legitimate libraries such as colorui.dll, likely to ensure the majority of the on-disk footprint has known-good code and metadata. The loader can be initially written to disk from simple dropper executables. One such dropper writes a signed BLISTER loader to %temp%\Framwork\axsssig.dll and executes it with rundll32. LaunchColorCpl is a common DLL export and entry point name used by BLISTER as seen in the command line parameters:
Rundll32.exe C:\Users\user\AppData\Local\Temp\Framwork\axsssig.dll,LaunchColorCpl

Once executed, BLISTER decodes bootstrapping code stored in the resource section with a simple 4-byte XOR routine shown below:

The bootstrapping code is heavily obfuscated and initially sleeps for 10 minutes. This is likely an attempt to evade sandbox analysis. After the delay, it decrypts the embedded malware payload. We have observed CobaltStrike and BitRat as embedded malware payloads. Once decrypted, the embedded payload is loaded into the current process or injected into a newly spawned WerFault.exe process.

Finally, BLISTER establishes persistence by copying itself to the C:\ProgramData folder, along with a re-named local copy of rundll32.exe. A link is created in the current user’s Startup folder to launch the malware at logon as a child of explorer.exe.

YARA

We have created a YARA rule to identify this BLISTER activity:

rule Windows_Trojan_Blister{
    meta:
        author = “Elastic Security”
        creation_date = "2021-12-20"
        last_modified = "2021-12-20"
        os = "Windows"
        category_type = "Trojan"
        family = "Blister"
        threat_name = "Windows.Trojan.Blister"
        reference_sample = "0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00"

    strings:
        $a1 = {8D 45 DC 89 5D EC 50 6A 04 8D 45 F0 50 8D 45 EC 50 6A FF FF D7}
        $a2 = {75 F7 39 4D FC 0F 85 F3 00 00 00 64 A1 30 00 00 00 53 57 89 75}           
condition:
        any of them
}Read more

Defensive recommendations

Elastic Endpoint Alerts

Elastic Endpoint Security provides deep coverage for this threat by stopping the in-memory thread execution and preventing malicious behaviors.

Memory Threat Detection Alert: Shellcode Injection

Malicious Behavior Detection Alert: Execution via Renamed Signed Binary Proxy

Hunting queries

These queries can be used in Kibana's Security -> Timelines -> Create new timeline -> Correlation query editor. While these queries will identify this intrusion set, they can also identify other events of note that, once investigated, could lead to other malicious activities.

Proxy Execution via Renamed Rundll32

Hunt for renamed instances of rundll32.exe

  • We're hiring

    Work for a global, distributed team where finding someone like you is just a Zoom meeting away. Flexible work with impact? Development opportunities from the start?