North Korean hackers created a Remote Access Trojan (RAT), called BLINDINGCAN malware, to attack American government contractors in the defense sector.
Federal Investigation Bureau (FBI) and Cybersecurity and Information Protection Service (CISA) disclosed the details of the latest security breach in a joint warning.
What is this BLINDINGCAN all about?
The US authorities claim they found BLINDINGCAN this year in several assaults. According to the officials, hackers threaten the US and overseas companies working in the national security and aerospace industries.
“[The] FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation,” the advisory said.
To lure potential targets, hackers send spam messages that claim to come from big defense contractors.
However, the emails typically contain malicious files (usually Office and PDF documents). These files would then install a data gathering implant onto the victim’s devices when opened.
According to agencies, this operation used [sic] corrupted multi-country networks to house its system for command and control (C2) and spread implants to a target framework.
Two Dynamic-Link Libraries (DLLs) and four Microsoft Word Free Extensible Markup Language (XML) documents (.docx) are being reviewed. It found the.docx files were attempting to connect for download to external domains. Similarly, a DLL file tried to install another DLL file called “iconcache.db.” It would eventually unpack and run BLINDINGCAN.
A previous report by ClearSky, a cyber security firm, referred to this RAT as DRATzarus.
BLINDINGCAN has a broad variety of technological skills, according to CISA. The malware can conduct identification on target networks and ‘gather information about important military and energy technologies.’
The attack can make many other tasks, too. These include:
- Collect detailed information about all installed disks on your system;
- Collect data of nearby IP addresses;
- Provide details for processors;
- Delete from contaminated networks and remove the traces;
- Making, implementing and ending a modern cycle
- Write, read, execute, and move files;
- Modify existing file or task directory; and
- Modify timestamps on files or directories.
Modify your networks now, experts warn
In the advice, CISA told administrators to run software modifications before installing them. The agency told users to upgrade their operating system updates. This would maintain the new antivirus signatures to engines up to date.
The HIDDEN COBRA group, which is believed by the FBI and CISA to be behind BLINDINGCAN malware, has a long history of attacking Western governments and private companies.
HIDDEN COBRA, also identified as Lazarus or APT38. It became popular in 2014 when it hacked Sony Pictures over The Video. The satirical info claimed North Korean leader Kim Jong-un’s assassination.
Cybersecurity experts from Sansec recently found that Lazarus leaders are installing skimmers in several American and European retailers’ online stores. Hackers allegedly attempted to capture credit card details from unwitting shoppers.
Earlier in May, researchers at Malwarebytes said they had identified a new variant of the Dacls RAT, explicitly created by Lazarus to target devices running Mac OS.