North Korean hacking group is using BLINDINGCAN malware to attack defence firms, warns CISA

Hackers are sending spam mails that purport to come from big defence contractors to trap potential targets

North Korean state-sponsored actors have been using a remote access Trojan (RAT), dubbed BLINDINGCAN, to target American government contractors in the defence sector.

The US Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) revealed details of the new malware strain in a joint alert issued on Wednesday.

The US agencies say they have identified BLINDINGCAN in multiple attacks this year, targeting both US and overseas firms operating in the military defence and aerospace sectors.

"[The] FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation," the advisory said.

To lure potential targets, hackers send spam mails that purport to come from big defence contractors.

However, the messages actually contain malicious files (usually Office and PDF documents), that deploy a data gathering implant onto the victim's machines when opened.

'This campaign utilized [sic] compromised infrastructure from multiple countries to host its command and control (C2) infrastructure and distribute implants to a victim's system,' the agencies noted.

CISA said that it had received two Dynamic-Link Libraries (DLLs) and four Microsoft Word Open Extensible Markup Language (XML) documents (.docx) for analysis. It found that the .docx files attempted to connect to external domains for a download. Similarly, a DLL file attempted to install another DLL file named "iconcache.db" which eventually unpacked and ran the BLINDINGCAN malware.

An earlier report by cyber security firm ClearSky referred to this RAT as DRATzarus.

According to CISA, BLINDINGCAN has a broad set of technical capabilities, enabling it to perform reconnaissance on victim's systems and 'gather intelligence surrounding key military and energy technologies.'

The malware can also perform many other tasks, such as:

• Collect detailed information about all disks installed on the system
• Collect local IP address details
• Get processor information
• Delete itself from infected systems and clean its traces
• Create, initiate and terminate a new process
• Read, write, execute and move files
• Change current directory for a file or process
• Modify file or directory timestamps

To strengthen the security of systems and networks, CISA recommends admins review configuration changes before implementing them. Admins are also advised to keep their operating system patches up-to-date and to maintain the latest antivirus signatures and engines.

The HIDDEN COBRA group, which FBI and CISA believe to be behind BLINDINGCAN malware, has a long history of attacking government and private firms in Western countries.

HIDDEN COBRA, also known as Lazarus or APT38, gained notoriety in 2014 when it hacked Sony Pictures over the film The Interview, a comedy centring on the assassination of North Korean leader Kim Jong-un.

Last month, researchers at cyber security firm Sansec claimed that they had found evidence to suggest that Lazarus members were planting skimmers on the web stores of many American and European retailers in an effort to steal payment card details of unsuspecting shoppers.

Earlier in May, Malwarebyes researchers said they had identified a new variant of the Dacls RAT, specifically created by Lazarus to target devices running Mac OS.