BLISTER Malware Brings RATs to Compromised Networks
The BLISTER Malware is a new payload, which is being used to deliver other malware to the devices it infects. The threat appears to be able to circumvent some basic security measures in Windows. It achieves this by using a fake code-signing certificate that the developers have managed to acquire. This not a novel technique by any means – hijacking code-signing certificates has been popular among malware developers for years.
Cybersecurity researchers believe that the creators of the BLISTER Malware might have acquired the certificate by compromising the security of a legitimate company, and then used their credentials to contact Sectigo, a digital identity provider. It appears that the certificate that the BLISTER Malware uses has been issued on the 23rd of August, and it belongs to Blist LLC, a company using a Russia-based email provider. However, this does not necessarily confirm the nationality of BLISTER Malware's creators.
When the BLISTER Malware is launched, it will begin to decode the heavily obfuscated code it uses to initialize the attack. However, after the decoding task is complete, the malware will delay the next step by 10 minutes – a simple measure to avoid sandbox analysis.
Once running, the BLISTER Malware gains persistence by dropping its files to the %ProgramData% folder, as well as by creating a new entry in the startup directory. The BLISTER Malware appears to be used in combination with Remote Access Trojans (RATs) and utilities such as the Cobalt Strike beacon, and BitRAT. The end-goal of the criminals is not yet clear, but they appear to be trying to take control of entire networks by spreading laterally. Systems and networks can be safe from the BLISTER Malware by employing robust security measures, as well as by ensuring that all system operators are familiar with the best safe Web browsing practices.