BLINDINGCAN
BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
BLINDINGCAN has uploaded files from victim machines.[1] |
|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
BLINDINGCAN has attempted to hide its payload by using legitimate file names such as "iconcache.db".[1] |
| Enterprise | T1129 | 共享模块 |
BLINDINGCAN has loaded and executed DLLs in memory during runtime on a victim machine.[1] |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
BLINDINGCAN has encrypted its C2 traffic with RC4.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
BLINDINGCAN has used AES and XOR to decrypt its DLLs.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
BLINDINGCAN has executed commands via cmd.exe.[1] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
BLINDINGCAN has used HTTPS over port 443 for command and control.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
BLINDINGCAN has encoded its C2 traffic with Base64.[1] |
| Enterprise | T1083 | 文件和目录发现 |
BLINDINGCAN can search, read, write, move, and execute files.[1][2] |
|
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing |
BLINDINGCAN has been packed with the UPX packer.[1] |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
BLINDINGCAN has obfuscated code using Base64 encoding.[1] |
||
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
BLINDINGCAN has lured victims into executing malicious macros embedded within Microsoft Office documents.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
BLINDINGCAN has deleted itself and associated artifacts from victim machines.[1] |
| .006 | 移除指标: Timestomp |
BLINDINGCAN has modified file and directory timestamps.[1][2] |
||
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
BLINDINGCAN has used Rundll32 to load a malicious DLL.[1] |
| Enterprise | T1082 | 系统信息发现 |
BLINDINGCAN has collected from a victim machine the system name, processor information, OS version, and disk information, including type and free space available.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
BLINDINGCAN has collected the victim machine's local IP address information and MAC address.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
BLINDINGCAN has downloaded files to a victim machine.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
BLINDINGCAN has sent user and system information to a C2 server via HTTP POST requests.[2][1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
BLINDINGCAN has been delivered by phishing emails containing malicious Microsoft Office documents.[1] |
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
BLINDINGCAN has been signed with code-signing certificates such as CodeRipper.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group |