USA Government agencies have revealed a new virus originating from North Korea called the BLINDINGCAN malware which is categorized as a backdoor Trojan. The American authorities have discovered it in an Internet campaign which was captured by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.
North Korea Hackers Have Devised a New Trojan Called the BLINDINGCAN Malware
The BLINDINGCAN malware is a dangerous weapon created by experienced North Korean hackers, this is according to an official public disclosure published by USA authorities. The American CERT organization reveals that the discovery was made by agents of the FBI aand the Cybersecurity and Infrastructure Security Agency (CISA) who were tracking viruses around the world.
The pubic disclosure was revealed to be part of the government sponsored group which is known to us as Hidden Cobra. They are a high-profile and experienced collective which usually devise some of the most complex computer viruses. The FBI believe that they are using this new malware strain in coordinated attacks against networks and this is done by a large network of proxy servers that help to hide the intrusion attempts.
The virus was detected during one of its ongoing intrusion attempts, the American government agencies discovered that the North Koreans have targeted contractors in order to gather intelligence on key military and energy technologies.
In order to do this the criminals have devised a phishing strategy which relies on the use of fake job postings that fabricate the ones which are posted by defense contractors. Inside of them there is a hidden virus implant which will automatically startup upon interaction. Furthermore the hackers are utilizing a large worldwide network of proxies which makes tracking much more difficult.
The malware files which are linked to this attack are Microsoft Word .DOCX document and two respective DLL libraries. They include macros which will automatically launch the respective installation procedure. The BLINDINGCAN malware when installed on a given system will start a remote command and control center. This will allow the Koreans to take over control of the systems and hijack users data. The Trojan file itself will hide itself in the system folders which will make it very difficult to track it down. During the analysis it was found that there is both a 32 and 64-bit version developed in order to target as many systems as possible. Other capabilities of the BLINDINGCAN Trojan include the following:
- Data Retrieval — The malware can access system user information and interact with the Disks Manager, one of the core components of the Microsoft Windows operating system. Using this the virus can query the installed hardware components and check the free space on the computer.
- Process Control — The main virus engine can be used to hookup to existing processes or create new ones for itself. This means that the malware can reserve its own memory and create numerous threads thereby leading to even more complex system manipulation actions.
- Files Deployment — Using this malware the hackers can upload arbitrary files to the infected hosts and execute them. As a result additional infections can be started.
- Stealth Installation — The main Trojan engine can monitor the installed services and protect itself from detection. It will stop running and can even delete itself if an in-depth security scan is started.
More information about this malware is found in the public advisory which is called MAR-10295134-1.v1. As always we expect that such advanced hacking attacks will continue.