CISA warns of BLINDINGCAN, a new strain of North Korean malware

Malware was used in a series of attacks targeting the US defense and aerospace sectors.
Written by Catalin Cimpanu, Contributor

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a security alert today containing details about a new strain of malware that was seen this year deployed by North Korean government hackers.

This new malware was spotted in attacks that targeted US and foreign companies active in the military defense and aerospace sectors, sources in the infosec community have told ZDNet, with the attacks being documented in reports from McAfee (Operation North Star) and ClearSky (Operation DreamJob).

The attacks followed the same pattern, with North Korean hackers posing as recruiters at big corporations in order to approach employees at the desired companies.

Targeted employees were asked to go through an interviewing process, during which they'd usually receive malicious Office or PDF documents that North Korean hackers would use to deploy malware on the victim's computers.

The final payload in these attacks is the focal point of today's CISA alert, a remote access trojan (RAT) that CISA calls BLINDINGCAN (called DRATzarus in the ClearSky report).

CISA experts say North Korean hackers used the malware to gain access to victim's systems, perform reconnaissance, and then "gather intelligence surrounding key military and energy technologies."

This was possible due to BLINDINGCAN's broad set of technical capabilities, which allowed the RAT to:

  • Retrieve information about all installed disks, including the disk type and the amount of free space on the disk
  • Get operating system (OS) version information
  • Get Processor information
  • Get system name
  • Get local IP address information
  • Get the victim's media access control (MAC) address.
  • Create, start, and terminate a new process and its primary thread
  • Search, read, write, move, and execute files
  • Get and modify file or directory timestamps
  • Change the current directory for a process or file
  • Delete malware and artifacts associated with the malware from the infected system

The CISA alert includes indicators of compromise and other technical details that can help system administrators and security professionals set up rules to scan their networks for signs of compromise.

This is the 35th time the US government has issued a security alert about North Korean malicious activity. Since May 12, 2017, CISA has published reports on 31 North Korean malware families on its website.

North Korean government hackers have been one of the four most active threat actors that have targeted the US in recent years, together with Chinese, Iranian, and Russian groups.

The US has been trying to dissuade attacks by criminally charging hackers from these countries or publicly calling out hacking activities that go beyond the real of intelligence espionage.

Earlier this year, in April, the US State Department has stepped up its efforts to deter North Korean hacking by setting up a $5 million reward program for any information on North Korean hackers, their whereabouts, or their current campaigns.

In a report published last month, the US Army revealed that many of North Korea's hackers operate from abroad, not just from North Korea, from countries such as Belarus, China, India, Malaysia, and Russia.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards