According to researchers, evasive malware leverages valid code signing certificates to evade security measures and deploy Cobalt Strike and BitRAT payloads through compromised systems.
Elastic Security experts have dubbed the binary “Blister,” with malware samples that have zero to negligible detections on VirusTotal. At the time of writing, the infection vector as well as the ultimate goals of the intrusion are unknown.
A notable aspect of the attacks is that they rely on a valid code signing certificate issued by Sectigo. The malware was observed to be signed by the certificate in question dated September 15, 2021. The company said that Elastic contacted it to ensure that the abused certificates were revoked.
“Code-signed executables are often less scrutinized than unsigned executables,” said Joe Desimone and Samir Bousseaden. By using these tools, attackers can evade detection for longer periods of time and remain invisible.
This malware masquerades as a legitimate library called “colorui.dll” and is distributed via a dropper called “dxpo8umrzrr1w6gm.exe”. After running, the loader sleeps for 10 minutes, presumably to escape sandbox scanning, before establishing persistence and decrypting an embedded malware payload such as Cobalt Strike.
The researchers noted that once decrypted, the embedded payload is loaded into the running process or injected into a new WerFault.exe (Windows Error Reporting) process.