# Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1) **cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1** Anandeshwar Unnikrishnan January 7, 2022 A new malware, dubbed “Blister,” by the Elastic Security team that identified it, is leveraging valid code-signing certificates in Windows systems, to avoid detection by antivirus software. The malware is named after one of its payloads, Blister, which further deploys second-stage payloads. The threat actors orchestrating the Blister campaigns have been active since 15 September 2021, and have been using code-signing certificates that were validated on 23 August 2021. These certificates were issued by Sectigo to Blist LLC’s mail.ru email address. It is notable that mail.ru is a widely used Russian email service provider. The malware masquerades malicious components as genuine executable files, due to which it has a low detection rate. Apart from using codesigning certificates, the threat actors are also leveraging other techniques, such as binding Blister to a legitimate library on the infected system, to stay under the radar. ## Modus Operandi of the Blister Campaign Threat actors are known to use code-signing to circumvent basic static security checks to compromise the victim systems. The Blister malware is no different in that it uses a Sectigo issued certificate to make the loader malware program look genuine to security products. It then deploys a Remote Access Trojan (RAT) on the target system to gain unauthorized access. A .dll file is used as a second stage payload to execute the encoded RAT/ CobaltStrike beacon. Since the .dll file has no malicious traces there have been very few detections on VirusTotal. However, the loader uses Rundll32.exe to execute the LaunchColorCpl function exported by the malicious .dll file. ----- _Overview of the Blister malware campaign_ ## Leveraging Code-Signing Certificates to Avoid Detection The below image contains the details of the certificate to an entity called “Blist LLC”. It is common for cybercriminals to either steal code-signing certificates from compromised targets, or to use a front company to obtain the certificate, to sign the malware with. Sectigo has since revoked the certificate issued to the binary. _Certificate issued to Blist LLC_ _Certificate issued by Sectigo_ ## First Stage of Infection **Overview of the Loader** The loader writes a malicious .dll file in a directory created inside the user Temp folder. In one of the analysed samples, the malware created a folder named “goalgames” and inside it the loader dumped holorui.dll. The .dll houses the code for deploying the RAT to gain unauthorized access to the infected system. ----- _The loader writes a .dll file in the user Temp folder_ **Step by Step Working of the Loader** The Win32 API createDirectoryW is used to create a folder called “goalgames” in the path: C:\Users\\AppData\Local\Temp _directory. as shown below._ _Using Win32 API createDirectoryW to create a folder in the user Temp folder_ Before dumping the .dll, the loader sets the working directory to C:\Users\\AppData\Local\Temp\goalgames via Win32 API _SetCurrentDirectoryW._ _Using Win32 API SetCurrentDirectoryW to set the working directory_ After setting the working directory, the malware resolves the filename for the .dll file to holorui.dll and stores it in the register RCX, to later pass it to Win32 API CreateFileW. _The malware resolves the filename for the .dll file to holorui.dll_ The file C:\Users\\AppData\Local\Temp\goalgames\holorui.dll is created using the CreateFileW API. _holorui.dll created using CreateFileW API_ Once the file is created, the malware starts writing the content to the file by iteratively transferring bytes from the .dll payload in the loader. The Win32 API WriteFile is used to write contents into holorui.dll. _Win32 API WriteFile used to write contents into holorui.dll_ ----- e a c ous .dll s e bedded t e t a ed data seg e t o t e e ecutab e o t e oade a d t e bytes a e t a s e ed to _C:\Users\\AppData\Local\Temp\goalgames\holorui.dll._ _The MZ header of the embedded file_ Upon closing the handle to the holorui.dll file, written on to the disk in the Temp directory, the malware finishes delivering the second stage payload. Then the file handles are closed by the malware. _File handles closed by the malware_ The successful delivery of the malicious .dll can be confirmed by analyzing the interaction of the malware on the system. _Successful delivery of the malicious .dll_ Based on analysing multiple signed loader samples, we have enumerated following distinct directory and payload names used within different samples from the same campaign: _C:\Users\\AppData\Local\Temp\goalgames\holorui.dll_ _C:\Users\\AppData\Local\Temp\Framwork\axsssig.dll_ _C:\Users\\AppData\Local\Temp\oarimgamings\holorui.dll_ _C:\Users\\AppData\Local\Temp\guirtsframworks\Pasade.dll_ Note: The content inside the .dll is the same despite having different names ## Second Stage of Infection At the second stage of infection, the loader generates a command line to execute the function LaunchColorCpl exported from the .dll, via _Rundll32.exe on the infected system._ _Command line to execute the function LaunchColorCpl_ A new process is created with the above command line to spawn a Rundll32 process via CreateProcessW Win32 API. Spawning a Rundll32 process via CreateProcessW Win32 API The newly spawned Rundll32.exe process is listed in the process listing on the infected machine. _Newly spawned Rundll32.exe process_ ----- _Command line confirmation for the newly spawned process_ The final payload is executed by the Rundll32.exe process. _Network activities between the infected host and the attacker C2_ In the part 2 of this article we will cover the internal working of the .dll payload in detail. ## Indicators of Compromise (IoCs) **FileHash-MD5** e6404260b4e42b7aa75bb0a96627ed3a 304921a919ab5228687a4932bb66fab9 db8827d0d7b2addc05719e407216da14 1b33c1f232b2ed68ac108519caa2d35f 755f50457416aeb7fee95a67abfea9fe 1896e6b20128e85a9851b94753eabbdf 6f76505a91c91c29238f0ed70b369417 a91ba8f4a339a98fa94e810831e83d96 5a7dea7aa86ccd600f5a97e3b53f7338 b8c9c560c6970a877a7ad359f37811d7 3efcd76417a185e48da71e22d230c547 **FileHash-SHA1** [f8fa1ba14df6f8ab2b307ee0ce04054ea9d538c0](https://otx.alienvault.com/indicator/file/f8fa1ba14df6f8ab2b307ee0ce04054ea9d538c0) [77b11cc7fc02f2ece71c380afbed82a39df9b8fa](https://otx.alienvault.com/indicator/file/77b11cc7fc02f2ece71c380afbed82a39df9b8fa) [f534e15bbc104cafab80f954ba30f12de87b0f48](https://otx.alienvault.com/indicator/file/f534e15bbc104cafab80f954ba30f12de87b0f48) [72134bbf433c51d475412d16ff7abb4ce2b08110](https://otx.alienvault.com/indicator/file/72134bbf433c51d475412d16ff7abb4ce2b08110) [d58e06727c551756cbee1fc6539929553a09878b](https://otx.alienvault.com/indicator/file/d58e06727c551756cbee1fc6539929553a09878b) [4800d1f8e6ebc489c6c8a1d3a1f99b8339cf0980](https://otx.alienvault.com/indicator/file/4800d1f8e6ebc489c6c8a1d3a1f99b8339cf0980) [c039362e891b01040c20e75e16b02169c512aebd](https://otx.alienvault.com/indicator/file/c039362e891b01040c20e75e16b02169c512aebd) [21799d1d30344428697f3a186733b283a993ac16](https://otx.alienvault.com/indicator/file/21799d1d30344428697f3a186733b283a993ac16) [bb69d5da32164813be5af29d31edc951a8f1f088](https://otx.alienvault.com/indicator/file/bb69d5da32164813be5af29d31edc951a8f1f088) 871e52778597185f98eb0a57127024bcd094cf07 [a492b5e329b55d4a0f66217e5352ab56fabacad1](https://otx.alienvault.com/indicator/file/a492b5e329b55d4a0f66217e5352ab56fabacad1) **FileHash-SHA256** ----- fe7357d48906b68f094a81d19cc0ff93f56cc40454ac5f00e2e2d9c8ccdbc388 fa885e9ea1293552cb45a89e740426fa9c313225ff77ad1980dfe f5104d0ead2f178711b1e23db3c16846de7d1a3ac04dbe09bacebb847775d76d ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa7718 ed241c92f9bc969a160da2c4c0b006581fa54f9615646dd46467d24fe5526c7a df8142e5cf897af65972041024ebe74c7915df0e18c6364c5fb9b d54dfedda0efa36ed445d501845b61ab73c2102786be710ac19f697fc8d4ca5c d0f934fd5d63a1524616bc13b51ce274539a8ead9b072e7f7fe1 cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028 cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce4604 ca09d9cd2f3cfcc06b33eff91d55602cb33a66ab3fd4f540b9212fce5ddae54a c61d2ba1e001c137533cd7fb6b38fe71fee489d61dbcfea45c37c c0f3b27ae4f7db457a86a38244225cca35aa0960eb6a685ed350e99a36c32b61 bee3210360c5d0939c5d38b7b9f0c232cf9fbf93b46a19e53930a ba3a50930e7a144637faf88a98f2990a27532bfd20a93dc160eb2db4fbc17b58 afb77617a4ca637614c429440c78da438e190dd1ca24dc78483 af555d61becfcf0c13d4bc8ea7ab97dcdc6591f8c6bb892290898d28ebce1c5d a486e836026e184f7d3f30eaa4308e2f0c381c070af1f525118a4 a34821b50aadee0dd85c382c43f44dae1e5fef0febf2f7aed6abf3f3e21f7994 9bccc1862e3e5a6c89524f2d76144d121d0ee95b1b8ba5d0ffca 96bf7bd5f405d3b4c9a71bcd1060395f28f2466fdb91cafc6e261a31d41eb37a 9472d4cb393256a62a466f6601014e5cb04a71f115499c320dc6 923b2f90749da76b997e1c7870ae3402aba875fdbdd64f79cbeba2f928884129 8e22cf159345852be585bc5a8e9af476b00bc91cdda98fd6a324 8ae2c205220c95f0f7e1f67030a9027822cc18e941b669e2a52a5dbb5af74bc9 8a414a40419e32282d33af3273ff73a596a7ac8738e9cdca6e7d 863228efa55b54a8d03a87bb602a2e418856e0028ae409357454a6303b128224 84a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc6652a 81edf3a3b295b0189e54f79387e7df61250cc8eab4f1e8f42eb5042102df8f1f 7cd03b30cfeea07b5ea4c8976e6456cb65e09f6b8e7dcc688843 7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f 6c6f808f9b19e1fab1c1b83dc99386f0ceee8593ddfd461ac047e 696f6274af4b9e8db4727269d43c83c350694bd1ef4bd5ccdc0806b1f014568a 56ca9ea3f7870561ed3c6387daf495404ed3827f212472501d25 5651e8a8e6f9c63c4c1162efadfcb4cdd9ad634c5e00a5ab03259fcdeaa225ac 516cac58a6bfec5b9c214b6bba0b724961148199d32fb42c01b1 4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5 44e5770751679f178f90ef7bd57e8e4ccfb6051767d8e906708c5 3c7480998ade344b74e956f7d3a3f1a989aaf43446163a62f0a8ed34b0c010d0 359ffa33784cb357ddabc42be1dcb9854ddb113fd8d6caf3bf039 2d049f7658a8dccd930f7010b32ed1bc9a5cc0f8109b511ca2a77a2104301369 294c710f4074b37ade714c83b6b7bf722a46aef61c02ba6543de 25a0d6a839c4dc708dcdd1ef9395570cc86d54d4725b7daf56964017f66be3c1 216cb4f2caeaf59f297f72f7f271b084637e5087d59411ac77ddd3 1a10a07413115c254cb7a5c4f63ff525e64adfe8bb60acef946bb7656b7a2b3d 17ea84d547e97a030d2b02ac2eaa9763ffb4f96f6c54659533a2 00eb2f75822abeb2e222d007bdec464bfbc3934b8be12983cc898b37c6ace081 0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681 **Domains** discountshadesdirect.com domain clippershipintl.com domain bimelectrical.com **IPv4** 93.115.18.248 188.68.221.203 185.170.213.186 **Signed loaders** ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8 cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46047446e9753a926 7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f 84a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc6652a5414dab440b74 cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028 9472d4cb393256a62a466f6601014e5cb04a71f115499c320dc615245c7594d4 4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5 1a10a07413115c254cb7a5c4f63ff525e64adfe8bb60acef946bb7656b7a2b3d 9bccc1862e3e5a6c89524f2d76144d121d0ee95b1b8ba5d0ffcaa23025318a60 8a414a40419e32282d33af3273ff73a596a7ac8738e9cdca6e7db0e41c1a7658 923b2f90749da76b997e1c7870ae3402aba875fdbdd64f79cbeba2f928884129 ed241c92f9bc969a160da2c4c0b006581fa54f9615646dd46467d24fe5526c7a 294c710f4074b37ade714c83b6b7bf722a46aef61c02ba6543de5d59edc97b60 ----- BE7E259D5992180EADFE3F4F3AB1A5DECC6A394DF60C7170550B3D222FCE5F19 [Anandeshwar Unnikrishnan](https://cloudsek.com/author/anadeshwar-unnikrishnan/) [Threat Intelligence Researcher, CloudSEK](https://cloudsek.com/) Anandeshwar is a Threat Intelligence Researcher at CloudSEK. He is a strong advocate of offensive cybersecurity. He is fuelled by his passion for cyber threats in a global context. He dedicates much of his time on Try Hack Me/ Hack The Box/ Offensive Security Playground. He believes that “a strong mind starts with a strong body.” When he is not gymming, he finds time to nurture his passion for teaching. He also likes to travel and experience new cultures. [Deepanjli Paulraj](https://cloudsek.com/author/deepanjli-paulraj/) [Lead Cyberintelligence Editor, CloudSEK](https://cloudsek.com/) Total Posts: 3 Deepanjli is CloudSEK’s Lead Technical Content Writer and Editor. She is a pen wielding pedant with an insatiable appetite for books, Sudoku, and epistemology. She works on any and all content at CloudSEK, which includes blogs, reports, product documentation, and everything in between. -----