The US Cybersecurity and Infrastructure Security Agency (CISA) has published a security alert today containing details about a new strain of malware that was seen this year deployed by North Korean government hackers.
The attacks followed the same pattern, with North Korean hackers posing as recruiters at big corporations in order to approach employees at the desired companies.
Targeted employees were asked to go through an interviewing process, during which they'd usually receive malicious Office or PDF documents that North Korean hackers would use to deploy malware on the victim's computers.
The final payload in these attacks is the focal point of today's CISA alert, a remote access trojan (RAT) that CISA calls BLINDINGCAN (called DRATzarus in the ClearSky report).
CISA experts say North Korean hackers used the malware to gain access to victim's systems, perform reconnaissance, and then "gather intelligence surrounding key military and energy technologies."
This was possible due to BLINDINGCAN's broad set of technical capabilities, which allowed the RAT to:
Retrieve information about all installed disks, including the disk type and the amount of free space on the disk
Get operating system (OS) version information
Get Processor information
Get system name
Get local IP address information
Get the victim's media access control (MAC) address.
Create, start, and terminate a new process and its primary thread
Search, read, write, move, and execute files
Get and modify file or directory timestamps
Change the current directory for a process or file
Delete malware and artifacts associated with the malware from the infected system
The CISA alert includes indicators of compromise and other technical details that can help system administrators and security professionals set up rules to scan their networks for signs of compromise.
North Korean government hackers have been one of the four most active threat actors that have targeted the US in recent years, together with Chinese, Iranian, and Russian groups.
The US has been trying to dissuade attacks by criminally charging hackers from these countries or publicly calling out hacking activities that go beyond the real of intelligence espionage.
Earlier this year, in April, the US State Department has stepped up its efforts to deter North Korean hacking by setting up a $5 million reward program for any information on North Korean hackers, their whereabouts, or their current campaigns.