BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.[1][2]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
BLINDINGCAN has used HTTPS over port 443 for command and control.[1] |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
BLINDINGCAN has executed commands via cmd.exe.[1] |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
BLINDINGCAN has encoded its C2 traffic with Base64.[1] |
Enterprise | T1005 | Data from Local System |
BLINDINGCAN has uploaded files from victim machines.[1] |
|
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
BLINDINGCAN has used AES and XOR to decrypt its DLLs.[1] |
|
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
BLINDINGCAN has encrypted its C2 traffic with RC4.[1] |
Enterprise | T1041 | Exfiltration Over C2 Channel |
BLINDINGCAN has sent user and system information to a C2 server via HTTP POST requests.[2][1] |
|
Enterprise | T1083 | File and Directory Discovery |
BLINDINGCAN can search, read, write, move, and execute files.[1][2] |
|
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
BLINDINGCAN has deleted itself and associated artifacts from victim machines.[1] |
.006 | Indicator Removal on Host: Timestomp |
BLINDINGCAN has modified file and directory timestamps.[1][2] |
||
Enterprise | T1105 | Ingress Tool Transfer |
BLINDINGCAN has downloaded files to a victim machine.[1] |
|
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
BLINDINGCAN has attempted to hide its payload by using legitimate file names such as "iconcache.db".[1] |
Enterprise | T1027 | Obfuscated Files or Information |
BLINDINGCAN has obfuscated code using Base64 encoding.[1] |
|
.002 | Software Packing |
BLINDINGCAN has been packed with the UPX packer.[1] |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
BLINDINGCAN has been delivered by phishing emails containing malicious Microsoft Office documents.[1] |
Enterprise | T1129 | Shared Modules |
BLINDINGCAN has loaded and executed DLLs in memory during runtime on a victim machine.[1] |
|
Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 |
BLINDINGCAN has used Rundll32 to load a malicious DLL.[1] |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
BLINDINGCAN has been signed with code-signing certificates such as CodeRipper.[1] |
Enterprise | T1082 | System Information Discovery |
BLINDINGCAN has collected from a victim machine the system name, processor information, OS version, and disk information, including type and free space available.[1] |
|
Enterprise | T1016 | System Network Configuration Discovery |
BLINDINGCAN has collected the victim machine's local IP address information and MAC address.[1] |
|
Enterprise | T1204 | .002 | User Execution: Malicious File |
BLINDINGCAN has lured victims into executing malicious macros embedded within Microsoft Office documents.[1] |
ID | Name | References |
---|---|---|
G0032 | Lazarus Group |