CISA, FBI Warn of Malware Tied to North Korean HackersJoint Alert Says BlindingCan RAT Targets Defense Industry Workers
The FBI and the Cybersecurity and Infrastructure Security Agency have issued a warning about a new malware strain tied to North Korean hackers that’s being used in fake job posting messages sent to defense industry employees.
The malware, called BlindingCan, is a fully functional remote access Trojan that acts as a backdoor when installed on compromised devices. It allows hackers to gather intelligence about infected networks and maintain persistence within the infrastructure, according to the alert.
The joint alert notes that the malware is being deployed by a North Korean-linked hacking group that the U.S. government refers to as Hidden Cobra but others call the Lazarus Group. The group is believed to have been responsible for a number of high-profile attacks over the last five years, including the distribution of the WannaCry ransomware in 2017.
⚠️ Our latest Malware Analysis Report identifies a #malware variant used by North Korean actors to target government contractors. Organizations should immediately take action to defend their networks and reduce exposure: https://t.co/nT9rOXyuvF. #Cybersecurity #InfoSec— Cybersecurity and Infrastructure Security Agency (@CISAgov) August 19, 2020
"FBI has high confidence that Hidden Cobra actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation," according to the joint alert issued Wednesday.
The BlindingCan malware has appeared in phishing messages sent to employees working in the defense industry that appear to originate with job recruiters.
Earlier this month, security firm McAfee published a report concerning North Korean-linked groups that have targeted U.S. aerospace and defense firms with fake job offer emails sent to employees. These attacks attempted to plant malware on victims’ devices, although the malware variant was not identified in the analysis (see: North Korean Hackers Targeted US Aerospace, Defense Firms).
Security firm ClearSky published a similar report this month as well (see: North Korean Hackers Wage Job-Themed Spear-Phishing Attacks).
CISA and the FBI identified four malicious Word documents linked to the fake job phishing campaigns as well as two Dynamic Link Libraries used to spread the BlindingCan malware to compromised devices.
When a victim opens the malicious documents, the DDL file downloads the malware payload, according to the alert. Once installed on a device, BlindingCan can perform a series of functions, including:
- Retrieve information about all installed disks, including the disk type and the amount of free space on the disk;
- Create, start and terminate a new process and its primary thread;
- Search, read, write, move and execute files;
- Retrieve and modify file or directory timestamps;
- Change the current directory for a process or file.
The malware can then transfer any exfiltrated data to the hackers before deleting itself from the infected system, according to the alert.
The FBI and CISA also note that the North Korean hacking group appears to have compromised IT networks in multiple countries and is using these proxy servers as part of its command-and-control infrastructure to distribute malware and disguise its activities.
Since the WannaCry ransomware attacks of 2017, CISA and the FBI have issued frequent warnings about North Korea-sponsored hackers and have published data on nearly 30 malware variants associated with hacking groups suspected of working with the regime (see: Group Behind WannaCry Now Using New Malware).
In April, the U.S. State Department offered a $5 million reward for information about North Korean hacking activity (see: US Offers $5 Million Reward for N. Korea Hacker Information).
Security firm Kaspersky reported in June that a new malware framework was being deployed by Lazarus Group to spread ransomware and steal databases (see: Lazarus Group Deploying Fresh Malware Framework).