Threat Watch

North Korean BLINDINGCAN RAT Exposed

As part of a joint effort between the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the US Computer Emergency Response Team (US-CERT) has released a new malware analysis report on BLINDINGCAN. BLINDINGCAN is a previously unknown Remote Access Trojan (RAT) currently targeting defense contractors through job postings. Analysis of DLL files submitted indicate two different RATs being dropped: Hidden Cobra RAT, which was previously known, and BLINDINGCAN. The report labels BLINDINGCAN as a variant of Hidden Cobra RAT with the following features:

  • Retrieve information about all installed disks, including the disk type and the amount of free space on the disk.
  • Create, start, and terminate a new process and its primary thread.
  • Search, read, write, move, and execute files.
  • Get and modify file or directory timestamps.
  • Change the current directory for a process or file.
  • Delete malware and artifacts associated with the malware from the infected system.

ANALYST NOTES

Although the report was unable to retrieve the files that the malicious Word documents attempted to download, it can be inferred that victims infected with either RAT were initially targeted through these documents. Even if a Word document was not received through a phishing attempt, recipients of email or other messages that include a document or spreadsheet file with macros or other embedded objects should always exercise caution before allowing macros to be run.

Source: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a