BLISTER malware evaded the Windows systems’ threat detection

February 2, 2022
BLISTER Malware Evaded Windows Systems Threat Detection Cybersecurity Alert

Cybersecurity researchers revealed a malware campaign called BLISTER that is dependent on a valid code-signing certificate to spoof malicious codes as authentic executables that evaded the security measures of the Windows system.

The payloads discovered contained the BLISTER malware, which acts as a loader for the virus and appears to be a threat with a low detection rate. Moreover, the malware operators have been relying on several strategies to keep their malicious acts undetected. Researchers also discovered that the malware operators used the code-signing certificate as their primary attack trick.

 

Since late September of 2021, the BLISTER malware has been operating its campaigns for months and successfully evaded the Windows systems’ detection.

 

The researchers stated that the malware operators relied on several techniques to remain undetected. One technique was to attach BLISTER malware into a legitimate library like ‘colorui[.]dll.’

The malware will start with elevated privileges through a particular command. Being signed with a legit certificate and distributed with administrative rights makes the malware avoid security solutions.

Then, BLISTER decodes from the resource part bootstrapping code that is hard to detect. The malware stayed dormant for about ten minutes which researchers believed to slip past the sandbox analysis.

After ten minutes, the malware will decrypt embedded payloads that provide remote access and lateral movement. Next, it will obtain persistence with a copy in the Program Data folder and another ‘rundll32[.]exe.’ It is also attached to the startup location, so the malware deploys at every boot.

The researchers discovered signed and unsigned variants of the BLISTER malware load. Both variants achieved a low detection rate with antivirus solutions on VirusTotal.

Even though these attacks of the initial infection transmitter remain unclear, by becoming legitimate code-signing certificates, malware embedded in authentic libraries, and execution of payloads in memory, threat actors can increase their attack success rate.

Therefore, cybersecurity agencies should pinpoint the main objective of BLISTERs malware’s operator to devise a plan to counter it and mitigate the damage it will cause to too many users in the future.

About the author