Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)

mins read time
Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)
Published on
January 7, 2022
Blog Image

A new malware, dubbed “Blister,” by the Elastic Security team that identified it, is leveraging valid code-signing certificates in Windows systems, to avoid detection by antivirus software. The malware is named after one of its payloads, Blister, which further deploys second-stage payloads.

The threat actors orchestrating the Blister campaigns have been active since 15 September 2021, and have been using code-signing certificates that were validated on 23 August 2021. These certificates were issued by Sectigo to Blist LLC’s email address. It is notable that is a widely used Russian email service provider.  

The malware masquerades malicious components as genuine executable files, due to which it has a low detection rate. Apart from using code-signing certificates, the threat actors are also leveraging other techniques, such as binding Blister to a legitimate library on the infected system, to stay under the radar. 

Modus Operandi of the Blister Campaign

Threat actors are known to use code-signing to circumvent basic static security checks to compromise the victim systems. The Blister malware is no different in that it uses a Sectigo issued certificate to make the loader malware program look genuine to security products. It then deploys a Remote Access Trojan (RAT) on the target system to gain unauthorized access. 

A .dll file is used as a second stage payload to execute the encoded RAT/ CobaltStrike beacon. Since the .dll file has no malicious traces there have been very few detections on VirusTotal. However, the loader uses Rundll32.exe to execute the LaunchColorCpl function exported by the malicious .dll file. 

Overview of the Blister malware campaign

Leveraging Code-Signing Certificates to Avoid Detection

  • The below image contains the details of the certificate to an entity called “Blist LLC”. It is common  for cybercriminals to either steal code-signing certificates from compromised targets, or to use a front company to obtain the certificate, to sign the malware with.
Certificate issued to Blist LLC

  • Sectigo has since revoked the certificate issued to the binary. 
Certificate issued by Sectigo

First Stage of Infection

Overview of the Loader

  • The loader writes a malicious .dll file in a directory created inside the user Temp folder. 
  • In one of the analysed samples, the malware created a folder named “goalgames” and inside it the loader dumped holorui.dll
  • The .dll houses the code for deploying the RAT to gain unauthorized access to the infected system.
The loader writes a .dll file in the user Temp folder

Step by Step Working of the Loader

  • The Win32 API createDirectoryW is used to create a folder called “goalgames” in the path: C:\Users\<user>\AppData\Local\Temp directory. as shown below.
Using Win32 API createDirectoryW to create a folder in the user Temp folder

  • Before dumping the .dll, the loader sets the working directory to C:\Users\<user>\AppData\Local\Temp\goalgames via Win32 API SetCurrentDirectoryW.
Using Win32 API SetCurrentDirectoryW to set the working directory

  • After setting the working directory, the malware resolves the filename for the .dll file to holorui.dll and stores it in the register RCX, to later pass it to Win32 API CreateFileW.
The malware resolves the filename for the .dll file to holorui.dll

  • The file C:\Users\<user>\AppData\Local\Temp\goalgames\holorui.dll is created using the CreateFileW API. 
holorui.dll created using CreateFileW API

  • Once the file is created, the malware starts writing the content to the file by iteratively transferring bytes from the .dll payload in the loader. The Win32 API WriteFile is used to write contents into holorui.dll.
Win32 API WriteFile used to write contents into holorui.dll

  • The malicious .dll is embedded in the initialized data segment of the PE executable of the loader and the bytes are transferred into C:\Users\<user>\AppData\Local\Temp\goalgames\holorui.dll.
The MZ header of the embedded file

  • Upon closing the handle to the holorui.dll file, written on to the disk in the Temp directory, the malware finishes delivering the second stage payload. Then the file handles are closed by the malware.
File handles closed by the malware

  • The successful delivery of the malicious .dll can be confirmed by analyzing the interaction of the malware on the system.
Successful delivery of the malicious .dll

  • Based on analysing multiple signed loader samples, we have enumerated following distinct directory and payload names used within different samples from the same campaign:
    • C:\Users\<user>\AppData\Local\Temp\goalgames\holorui.dll
    • C:\Users\<user>\AppData\Local\Temp\Framwork\axsssig.dll
    • C:\Users\<user>\AppData\Local\Temp\oarimgamings\holorui.dll
    • C:\Users\<user>\AppData\Local\Temp\guirtsframworks\Pasade.dll

Note: The content inside the .dll is the same despite having different names

Second Stage of Infection

  • At the second stage of infection, the loader generates a command line to execute the function LaunchColorCpl exported  from the .dll, via Rundll32.exe on the infected system.
Command line to execute the function LaunchColorCpl

  • A new process is created with the above command line to spawn a Rundll32 process via CreateProcessW Win32 API. 
Spawning a Rundll32 process via CreateProcessW Win32 API

  • The newly spawned Rundll32.exe process is listed in the process listing on the infected machine. 
Newly spawned Rundll32.exe process

Command line confirmation for the newly spawned process

  • The final payload is executed by the Rundll32.exe process.  
Network activities between the infected host and the attacker C2

In the part 2 of this article we will cover the internal working of the .dll payload in detail.

Indicators of Compromise (IoCs)








  • domain
  • domain



Signed loaders

  • ed6910fd51d6373065a2f1d3580ad645f443bf0badc398aa77185324b0284db8
  • cb949ebe87c55c0ba6cf0525161e2e6670c1ae186ab83ce46047446e9753a926
  • 7b9091c41525f1721b12dcef601117737ea990cee17a8eecf81dcfb25ccb5a8f
  • 84a67f191a93ee827c4829498d2cb1d27bdd9e47e136dc6652a5414dab440b74
  • cc31c124fc39025f5c3a410ed4108a56bb7c6e90b5819167a06800d02ef1f028
  • 9472d4cb393256a62a466f6601014e5cb04a71f115499c320dc615245c7594d4
  • 4fe551bcea5e07879ec84a7f1cea1036cfd0a3b03151403542cab6bd8541f8e5
  • 1a10a07413115c254cb7a5c4f63ff525e64adfe8bb60acef946bb7656b7a2b3d
  • 9bccc1862e3e5a6c89524f2d76144d121d0ee95b1b8ba5d0ffcaa23025318a60
  • 8a414a40419e32282d33af3273ff73a596a7ac8738e9cdca6e7db0e41c1a7658
  • 923b2f90749da76b997e1c7870ae3402aba875fdbdd64f79cbeba2f928884129
  • ed241c92f9bc969a160da2c4c0b006581fa54f9615646dd46467d24fe5526c7a
  • 294c710f4074b37ade714c83b6b7bf722a46aef61c02ba6543de5d59edc97b60


  • BE7E259D5992180EADFE3F4F3AB1A5DECC6A394DF60C7170550B3D222FCE5F19
Contributors to this Article
Author Image
Related Posts
Blog Image
November 4, 2023

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Blog Image
September 8, 2023

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.

Blog Image
July 28, 2023

Amadey Equipped with AV Disabler drops Redline Stealer

Our researchers have found out The Amadey botnet is now using a new Healer AV disabler to disable Microsoft Defender and infect target systems with Redline stealer.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.