June 7, 2023

Researchers have disclosed details of an evasive malware campaign dubbed Blister that makes use of valid code signing certificates to sneak past security defenses and stay under the radar with the goal of deploying Cobalt Strike and BitRAT payloads on compromised systems.

Advertisements

A notable aspect of the attacks is that they leverage a valid code signing certificate issued by Sectigo. The malware has been observed signed with the certificate in question dating back to September 15, 2021.

Executables with valid code signing certificates are often scrutinized to a lesser degree than unsigned executables,Their use allows attackers to remain under the radar and evade detection for a longer period of time.

Blister masquerades as a legitimate library called “colorui.dll” and is delivered via a dropper named “dxpo8umrzrr1w6gm.exe.” Post execution, the loader is designed to sleep for 10 minutes, likely in an attempt to evade sandbox analysis, only to follow it up by establishing persistence and decrypting an embedded malware payload such as Cobalt Strike or BitRAT.

Once decrypted, the embedded payload is loaded into the current process or injected into a newly spawned WerFault.exe process.

Advertisements

Indicators of Compromise

Domains

  • moduleloader.s3.eu-west-2.amazonaws.com
  • discountshadesdirect.com
  • bimelectrical.com
  • clippershipintl.com

IP Address

  • 188.68.221.203
  • 93.115.18.248
  • 52.95.148.162
  • 84.38.183.174
  • 80.249.145.212
  • 185.170.213.186

Hashes

  • ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8
  • cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46047446e9753a926
  • 7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f
  • 84a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc6652a5414dab440b74
  • cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028
  • 9472d4cb393256a62a466f6601014e5cb04a71f115499c320dc615245c7594d4
  • 4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5
  • 1a10a07413115c254cb7a5c4f63ff525e64adfe8bb60acef946bb7656b7a2b3d
  • 9bccc1862e3e5a6c89524f2d76144d121d0ee95b1b8ba5d0ffcaa23025318a60
  • 8a414a40419e32282d33af3273ff73a596a7ac8738e9cdca6e7db0e41c1a7658
  • 923b2f90749da76b997e1c7870ae3402aba875fdbdd64f79cbeba2f928884129
  • ed241c92f9bc969a160da2c4c0b006581fa54f9615646dd46467d24fe5526c7a
  • 294c710f4074b37ade714c83b6b7bf722a46aef61c02ba6543de5d59edc97b60
  • df8142e5cf897af65972041024ebe74c7915df0e18c6364c5fb9b2943426ed1a
  • 2d049f7658a8dccd930f7010b32ed1bc9a5cc0f8109b511ca2a77a2104301369
  • 696f6274af4b9e8db4727269d43c83c350694bd1ef4bd5ccdc0806b1f014568a
  • a34821b50aadee0dd85c382c43f44dae1e5fef0febf2f7aed6abf3f3e21f7994
  • 7cd03b30cfeea07b5ea4c8976e6456cb65e09f6b8e7dcc68884379925681b1c4
  • 81edf3a3b295b0189e54f79387e7df61250cc8eab4f1e8f42eb5042102df8f1f
  • 44e5770751679f178f90ef7bd57e8e4ccfb6051767d8e906708c52184bf27f32
  • 0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00
  • a486e836026e184f7d3f30eaa4308e2f0c381c070af1f525118a484a987827c1
  • 359ffa33784cb357ddabc42be1dcb9854ddb113fd8d6caf3bf0391380f9d640a
  • 863228efa55b54a8d03a87bb602a2e418856e0028ae409357454a6303b128224
  • d0f934fd5d63a1524616bc13b51ce274539a8ead9b072e7f7fe1a14bb8b927a6
  • c0f3b27ae4f7db457a86a38244225cca35aa0960eb6a685ed350e99a36c32b61
  • 216cb4f2caeaf59f297f72f7f271b084637e5087d59411ac77ddd3b87e7a90aa
  • 00eb2f75822abeb2e222d007bdec464bfbc3934b8be12983cc898b37c6ace081
  • 25a0d6a839c4dc708dcdd1ef9395570cc86d54d4725b7daf56964017f66be3c1
  • 3c7480998ade344b74e956f7d3a3f1a989aaf43446163a62f0a8ed34b0c010d0
  • 5651e8a8e6f9c63c4c1162efadfcb4cdd9ad634c5e00a5ab03259fcdeaa225ac
  • ba3a50930e7a144637faf88a98f2990a27532bfd20a93dc160eb2db4fbc17b58
  • fa885e9ea1293552cb45a89e740426fa9c313225ff77ad1980dfea83b6c4a91c
  • bee3210360c5d0939c5d38b7b9f0c232cf9fbf93b46a19e53930a1606bda28a5
  • 56ca9ea3f7870561ed3c6387daf495404ed3827f212472501d2541d5ccf8b941
  • c61d2ba1e001c137533cd7fb6b38fe71fee489d61dbcfea45c37c5ec1bcf845c
  • 17ea84d547e97a030d2b02ac2eaa9763ffb4f96f6c54659533a23e17268aabab
  • ca09d9cd2f3cfcc06b33eff91d55602cb33a66ab3fd4f540b9212fce5ddae54a
  • 6c6f808f9b19e1fab1c1b83dc99386f0ceee8593ddfd461ac047eae812df8733
  • afb77617a4ca637614c429440c78da438e190dd1ca24dc78483aa731d80832c2
  • 516cac58a6bfec5b9c214b6bba0b724961148199d32fb42c01b12ac31f6a6099
  • 8ae2c205220c95f0f7e1f67030a9027822cc18e941b669e2a52a5dbb5af74bc9
  • fe7357d48906b68f094a81d19cc0ff93f56cc40454ac5f00e2e2d9c8ccdbc388
  • af555d61becfcf0c13d4bc8ea7ab97dcdc6591f8c6bb892290898d28ebce1c5d
  • 96bf7bd5f405d3b4c9a71bcd1060395f28f2466fdb91cafc6e261a31d41eb37a
  • f5104d0ead2f178711b1e23db3c16846de7d1a3ac04dbe09bacebb847775d76d
  • 8e22cf159345852be585bc5a8e9af476b00bc91cdda98fd6a3244219a90ac9d9
  • d54dfedda0efa36ed445d501845b61ab73c2102786be710ac19f697fc8d4ca5c
Tags:

Leave a Reply

You may have missed

Microsoft to comply with LinkedIn GDPR Violation

Microsoft to comply with LinkedIn GDPR Violation

June 7, 2023
Google Fixes Third Chrome Zeroday

Google Fixes Third Chrome Zeroday

June 6, 2023
Moveit Attributed to Lace Tempest

Moveit Attributed to Lace Tempest

June 6, 2023
Byte Code Bites PYPI

Byte Code Bites PYPI

June 5, 2023
Enzo Biochem Suffers a Data Breach

Enzo Biochem Suffers a Data Breach

June 5, 2023
BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
%d bloggers like this: