BLINDINGCAN

The United States aerospace and defense sectors have once again become the target of a cyberattack originating from a foreign country. The culprit is not new to the scene, certainly, and malware researchers have determined that the attack may come from one of North Korea's government-backed Advanced Persistent Threat (APT) actors. The attack utilizes an entirely new piece of malware known as BLINDINGCAN or DRATzarus. The malware works like a Remote Access Trojan (RAT), and it has a broad range of features that can enable the remote attacker to take full control over the infected systems.

The attack vector that the North Korean hackers used is a classic one – they targeted employees working in the industry by sending out fake job offers claiming to come from big companies working in the same sectors. Usually, these emails were accompanied by a PDF or Microsoft Office file that supposedly contains a job offer. However, the document is packed with a corrupted macro script that is designed to deploy the BLINDINGCAN RAT to vulnerable computers.

North Korean RAT Packs an Impressive Set of Features

The technical capabilities of the BLINDINGCAN are very impressive. Usually, high-profile APT actors stick to simpler, but more subtle malware – however, the BLINDINGCAN packs a long list of features:

• Retrieve software and hardware information.
• Retrieve information about storage devices, partitions and used/free disk space.
• Manage processes (start, stop, restart).
• Manage the file system.
• Transfer files from the compromised computer to the attacker's server.
• Modify file and directory timestamps. This is likely to be used to erase any evidence that the attackers have tampered with files and folders.
• Self-removal.

North Korean cybercriminals continue to favor the United States when it comes to cyberattacks – they are one of the most active actors to target the US alongside hackers originating from Iran, China and Russia.