fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Stealthy BLISTER Malware Slips in Unnoticed on Windows Systems

Stealthy BLISTER Malware Slips in Unnoticed on Windows Systems

Security researchers have uncovered a malicious campaign that relies on a valid code-signing certificate to disguise malicious code as legitimate executables.

One of the payloads that the researchers called Blister, acts as a loader for other malware and appears to be a novel threat that enjoys a low detection rate.

The threat actor behind Blister has been relying on multiple techniques to keep their attacks under the radar, the use of code-signing certificates being only one of their tricks.

Also Read: Vulnerability Assessment vs Penetration Testing: And Why You Need Both

Signed, sealed, delivered

Whoever is behind Blister malware has been running campaigns for at least three months, since at least September 15, security researchers from Elastic search company found.

The threat actor used a code-signing certificate that is valid from August 23, though. It was issued by digital identity provider Sectigo for a company called Blist LLC with an email address from a Russian provider Mail.Ru.

Valid code-signing certificate used in Blister malware attacks
source: Elastic

Using valid certificates to sign malware is an old trick that threat actors learned years ago. Back then, they used to steal certificates from legitimate companies. These days, threat actors request a valid cert using details of a firm they compromised or of a front business.

In a blog post this week, Elastic says that they responsibly reported the abused certificate to Sectigo so it could be revoked.

The researchers say that the threat actor relied on multiple techniques to keep the attack undetected. One method was to embed Blister malware into a legitimate library (e.g. colorui.dll).

The malware is then executed with elevated privileges via the rundll32 command. Being signed with a valid certificate and deployed with administrator privileges makes Blister slip past security solutions.

Also Read: When to Appoint a Data Protection Officer

In the next step, Blister decodes from the resource section bootstrapping code that is “heavily obfuscated,” Elastic researchers say. For ten minutes, the code stays dormant, likely in an attempt to evade sandbox analysis.

It then kicks into action by decrypting embedded payloads that provide remote access and allow lateral movement: Cobalt Strike and BitRAT – both have been used by multiple threat actors in the past.

The malware achieves persistence with a copy in the ProgramData folder and another posing as rundll32.exe. It is also added to the startup location, so it launches at every boot, as a child of explorer.exe.

Elastic’s researchers found signed and unsigned versions of the Blister loader, and both enjoyed a low detection rate with antivirus engines on VirusTotal scanning service.

Low detection rate for Blister malware loader
detection rate of unsigned Blister malware sample

While the objective of these attacks of the initial infection vector remain unclear, by combining valid code-signing certs, malware embedded in legitimate libraries, and execution of payloads in memory the threat actors increased their chances for a successful attack.

Elastic has created a Yara rule to identify Blister activity and provides indicators of compromise to help organizations defend against the threat.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us