Date: 21 August 2020
Author: Eric Patterson
On 19 August, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report (MAR) on malware variants, dubbed BLINDINGCAN, used by the North Korean government.1 Malicious cyber activities associated with the North Korean government are commonly referred to as HIDDEN COBRA.
BLINDINGCAN refers to a series of Remote Access Trojan (RAT) variants currently in use by HIDDEN COBRA actors to maintain persistent access inside victim infrastructure. The current target set for this campaign includes government contractors who deal with key military and energy technologies. The threat actors made use of active job postings from contractors of interest as lures to deliver one of the malware variants to the victim.
Analysis: BLINDINGCAN RAT Variants
The MAR reported four documents being delivered via email with attached Microsoft Word Document (.docx) files purporting to reference open job postings for targeted companies. The DOCX files contain a series of Extensible Markup Language (XML) files in a directory structure that when opened and depending on the file received, attempt to contact one of two command and control (C2) domains:
Depending on the information gathered from the victim’s system, a 32- or 64-bit stage-one UPX- packed DLL payload will be downloaded to the victim: machine–d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9 or 0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6, respectively.
Once installed, the follow-on execution chains appear identical for both the 32- and 64-bit variants. The stage-one payloads decode themselves using a hardcoded 0x59 XOR key, and install and execute the DLL in C:\ProgramData\iconcache.db. Stage-two payloads consist of a secondary 32- or 64-bit UPX-packed DLL run out of C:\ProgramData\iconcache.db. During execution, it decompresses two additional DLL files into memory: one is the HIDDEN COBRA RAT variant, and the other is designed to unmap the DLL from memory.
Both of the HIDDEN COBRA RAT variants decrypt themselves using a different hard-coded AES key before attempting to collect the following system information:
- Operating system (OS) version information,
- Processor information,
- System name,
- Local IP address information,
- Media access control (MAC) address, and
- User-agent string (UAS).
This information will be transmitted to one of two C2 domains: curiofirenze[.]com or automercado[.]co[.]cr. The malware will then craft a series of HTTP POST requests to its C2 using four distinct Base64-encoded parameters that relate to built-in functions capable of being executed on the victim machine. The functions of the malware include:
- Retrieve information about all installed disks, including the disk type and the amount of free space on the disk;
- Create, start, and terminate a new process and its primary thread;
- Search, read, write, move, and execute files;
- Get and modify file or directory timestamps;
- Change the current directory for a process or file; and
- Delete malware and artifacts associated with the malware from the infected system.
Prevention and Mitigation
The Cybersecurity and Infrastructure Security Agency (CISA) recommends the following mitigation techniques to defend against BLINDINGCAN. CISA also recommends that any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
Indicators of Compromise
|158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17||Malicious .docx file|
|6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1||Malicious .docx file|
|7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971||Malicious .docx file|
|586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e||Malicious .docx file|
|d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9||32-bit stage one DLL|
|b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9||32-bit stage two DLL|
|bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1||32-bit binary RAT|
|7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd||32-bit DLL unmapper|
|0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6||64-bit stage one DLL|
|d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5||64-bit stage two DLL|
|58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d||64-bit binary RAT|
|8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050||64-bit DLL unmapper|