BLINDINGCAN

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new cybersecurity advisory detailing a new malware threat that has been employed by hackers sponsored by the North Korean government. The name given to the malware by CISA is BLINDINGCAN, but it also can be found as DRATzarus in reports from private cybersecurity firms.

The malware was observed being deployed against U.S. and international companies operating in the critical military and aerospace sectors. The script used in the attacks had the North Korean hackers pose as recruiters from well-known corporations to approach employees at the targeted companies without raising too much suspicion. Once contact was established, the criminals pretended to carry out a legitimate interviewing process during which they pushed various compromised PDF or Office documents to the company employees. The corrupted files carried BLINDINGCAN as a payload. The goal of the North Korean hackers, according to CISA, was to collect data about "key military and energy technologies."

BLINDINGCAN is a Multipurpose RAT

BLINDINGCAN is a powerful Remote Access Trojan (RAT) with an impressive set of abilities. If it manages to infiltrate the victim's computer, BLINDINGCAN starts snooping around and collects vast amounts of data. BLINDINGCAN logs information about the O.S., all installed drives, I.P. address, MAC address, processor, as well as the system name of the device. Through BLINDINGCAN, the hackers also can start and terminate new processes, manipulate files, and if they need to cover their tracks - delete all traces of the malware.

North Korea is among the top four countries with the most cyberattacks against the last few years, with the other three being China, Iran and Russia. It is not surprising then that since 2017 CISA has published 31 reports about strains of malware hailing from North Korea.