fbpx
perm_phone_msgConsider your business risks? Chat With US

US-Cert warns of North Korean BLINDINGCAN malware

Ransomware BCyber todayAugust 31, 2020 37

Background
share close

The United States Cybersecurity and Infrastructure Security Agency (CISA) published a Malware Analysis Report today revealing cybercriminal activities of hackers backed by the North Korean government.

The report states that in conjunction with the Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS), identified a remote access trojan (RAT) deployed by the North Korean government-sponsored hacking group referred as Hidden Cobra by the US government and also infamously known as the Lazarus Group or APT38.

The malware variant ensued by the North Korean threat actors is called BLINDINGCAN and it was used in concurrence with proxy servers in order to maintain a presence in the victim’s system and elongate network exploitation with its built-in functions.

It is worth noting that just a couple of days ago, the FBI (Federal Bureau of Investigation) and the National Security Agency (NSA) had warned against Russian government-backed hackers using Drovorub malware against Linux systems.

However, the latest advisory revealed that threat actors in question basically lured victims thorough a recruitment campaign from leading defense corporations such as ‘the Boeing Company.’

Not only this, but the victims were asked to go through an extensive interview process which was more of a hoax until they received malicious documents riddled with the malware.

Basically, the latter was a pathway to perforate victims’ computer systems and gather intelligence pertaining to “key military and energy technologies.” In its Malware Analysis Report, CISA wrote that:

CISA received four Microsoft Word Open Extensible Markup Language (XML) documents (.docx), two Dynamic-Link Libraries (DLLs). The .docx files attempt to connect to external domains for a download. A 32-bit and a 64-bit DLL was submitted that install a 32-bit and a 64-bit DLL named “iconcache.db” respectively. The DLL “iconcache.db” unpacks and executes a variant of Hidden Cobra RAT. It contains built-in functions for remote operations that provide various capabilities on a victim’s system.

It is noteworthy, that BLINDINGCAN has varied technical capabilities. The RAT is able to extract information from all installed disks, access the operating system, and processor information.

Not only this, but the trojan can also get local IP address including media access control (MAC) address. But the most perilous capabilities include start or terminate new processes and modify files. It can also search, read, write, and execute files.

The North Korean threat actors are notorious, to say the least. Last month too, the security researchers at Sansec reported that the group might be involved in stealing card information from mainstream European and US-based e-commerce companies.

In May 2020, the infamous group slipped a malware in a macOS based 2FA app named MinaOTP. The purpose was to deploy a trojan that could provide hackers with remote access. The trojan could also execute commands, manage system’s files and processes, ensue traffic proxying and worm scanning.

Nevertheless, the determined group is known to use similar tactics and target firms and government entities to steal sensitive data. Pertaining to this case, CISA has given a few security recommendations for users and administrators alike to strengthen security measures as well as avoid unwanted impacts.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

This content was originally published here.

Written by: BCyber

Rate it
Previous post

Similar posts

Ransomware BCyber / October 19, 2020

Ad-light, Malware-heavy # Chris Dzombak

Ad-light, Malware-heavy Since December 17, Forbes has been running an experiment wherein some fraction of visitors who are running ad blockers are blocked from accessing Forbes articles until they disable their ad blocker. In exchange, Forbes promises an “ad-light experience”: A Forbes article published yesterday claims that this interstitial resulted in 42.4% of visitors turning ...

Read more trending_flat