North Korean Hackers Using BLINDINGCAN Malware Strain, DHS Sounds Alert

The U.S. Department of Homeland Security (DHS) has released a warning against the new BLINDINGCAN remote access trojan (RAT) used by the North Korea-linked Lazarus Group.

What happened?

Last week, the federal agencies reported BLINDINGCAN (aka DRATzarus) having a broad set of technical capabilities to harm victims.
  • According to reports, the North Korean state-sponsored hackers are using BLINDINGCAN to perform a series of attacks against U.S. and foreign companies from military defense and aerospace sectors.
  • The hackers impersonate recruiters from big corporations and lure employees into an interviewing process and ask them to open (malicious) Office or PDF documents, which eventually infect their systems.
  • Once hackers gain access to the victims' systems, they perform reconnaissance to gather intelligence surrounding key military and energy technologies.

The concealed culprit

The U.S. government and the FBI suspect that HIDDEN COBRA threat actors could be behind these activities. The actors are using the BLINDINGCAN malware variants in conjunction with proxy servers to maintain a presence on victim networks and further exploit the network, the FBI claims.

The striking resemblance

The latest attacks share similarities with some recently discovered campaigns.
  • Between June to August 2020, ClearSky had investigated an offensive campaign, dubbed Operation Dream Job, attributed with high probability to North Korea (possible HIDDEN COBRA).
  • In the end of July, McAfee Advanced Threat Research (ATR) reported a campaign, dubbed Operation North Star, and attributed it to the Hidden Cobra threat actor.
  • According to ZDNet, the new BLINDINGCAN malware was used as a final payload in these attacks as well.

CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has frequently published security alerts about the HIDDEN COBRA hackers, one of the four most active threat actors for North Korean malicious activity. The agency recommended users and administrators to strengthen the security posture of their organization's systems and follow the tips provided by them.