Security researchers have uncovered a malicious campaign that relies on a valid code-signing certificate to disguise malicious code as legitimate executables.
One of the payloads that the researchers called Blister, acts as a loader for other malware and appears to be a novel threat that enjoys a low detection rate.
The threat actor behind Blister has been relying on multiple techniques to keep their attacks under the radar, the use of code-signing certificates being only one of their tricks.
Signed, sealed, delivered
Whoever is behind Blister malware has been running campaigns for at least three months, since at least September 15, security researchers from Elastic search company found.
The threat actor used a code-signing certificate that is valid from August 23, though. It was issued by digital identity provider Sectigo for a company called Blist LLC with an email address from a Russian provider Mail.Ru.
Threat Actors Abuse ConnectWise Configuration to Build a Signed Malware
New Campaigns Distribute Malware via Open Source Hacking Tools
Malware bypassed macOS Gatekeeper by abusing Apple's notarization proccess