Nasty new malware strain creeps quietly past Windows defenses

Security researchers have identified a new malware campaign that leverages code signing certificates and other techniques to help it avoid...

Security researchers have identified a new malware campaign that leverages code signing certificates and other techniques to help it avoid detection by antivirus software.

According to a new blog post from Elastic Security, the cybersecurity firm's researchers identified a cluster of malicious activity after reviewing its threat prevention telemetry.

The cybercriminals behind this new campaign are using valid code signing certificates to sign malware to help them remain under the radar of the security community. However, Elastic Security also discovered a new malware loader used in the campaign that it has named Blister.

Due to the use of valid code signing certificates and other measures taken to avoid detection, the cybercriminals responsible have been running this new campaign for at least three months.

Blister malware

The cybercriminals are using a code signing certificate issued by the digital identity firm Sectigo for a company called Blist LLC which is why Elastic Security gave their malware loader the name Blister. They may also be operating out of Russia as they are using Mail.Ru as their email service.

In addition to using a valid code signing certificate, the cybercriminals also relied on other techniques to remain undetected including embedding the Blister malware into a legitimate library. After being executed with elevated privileges by using the rundll32 command, the malware decodes bootstrapping code that is heavily obfuscated and stored in the resource section. From here, the code remains dormant for ten minutes to evade sandbox analysis.

Once enough time has passed, the malware starts up and begins decrypting embedded payloads that allow it to access a Windows system remotely and move laterally across a victim's network. Blister also achieves persistence on an infected machine by storing a copy in the ProgramData folder as well as another posing as rundll32.exe. To make matters worse, the malware is added to a system's startup location so it launches every time a machine boots.

Elastic Security has notified Sectigo to have Blister's code signing certificate revoked though the firm has also created a Yara rule to help organization's identify the new malware.

We've also featured the best malware removal software, best antivirus and best endpoint protection software

Via Bleeping Computer



from TechRadar - All the latest technology news https://ift.tt/3entMvg
via IFTTT

COMMENTS

BLOGGER
Name

Apps,3858,Business,151,Camera,1155,Earn $$$,3,Gadgets,1741,Games,926,GTA,1,Innovations,3,Mobile,1697,Paid Promotions,5,Promotions,5,Sports,1,Technology,8106,Trailers,796,Travel,37,Trending,4,Trendly News,24916,TrendlyNews,8,Video,5,XIAOMI,13,YouTube - 9to5Google,7,
ltr
item
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews: Nasty new malware strain creeps quietly past Windows defenses
Nasty new malware strain creeps quietly past Windows defenses
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews
http://www.trendlynews.in/2021/12/nasty-new-malware-strain-creeps-quietly.html
http://www.trendlynews.in/
http://www.trendlynews.in/
http://www.trendlynews.in/2021/12/nasty-new-malware-strain-creeps-quietly.html
true
3372890392287038985
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy