20 August 2020

CISA warns of a new North Korean malware targeting US defense and aerospace sectors


CISA warns of a new North Korean malware targeting US defense and aerospace sectors

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert that describes a new malware strain employed by North Korean hacker group known as Lazarus group or Hidden Cobra in attacks against US and foreign companies operating in the military defense and aerospace sectors. Some of the attacks were attributed by the researchers to cyber espionage campaigns tracked as Operation North Star and Operation Dream Job.

The malware known as BLINDINGCAN was identified by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). According to the two agencies, BLINDINGCAN is a Remote Access Trojan which comes with built-in functions for remote operations that provide various capabilities on a victim’s system.

The malicious actors leverage this malware in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. This tactic was observed in campaigns aimed at stealing key military and energy technologies from government contractors.

The malicious campaigns involved the threat actors employing malicious documents with job offers to trick victims into installing the information-stealing malware on a target’s system. The hackers used compromised infrastructure from multiple countries to host their command and control (C2) infrastructure and distribute implants to a victim's system, according to the alert.

“CISA received four Microsoft Word Open Extensible Markup Language (XML) documents (.docx), two Dynamic-Link Libraries (DLLs). The .docx files attempt to connect to external domains for a download. A 32-bit and a 64-bit DLL was submitted that install a 32-bit and a 64-bit DLL named "iconcache.db" respectively. The DLL "iconcache.db" unpacks and executes a variant of Hidden Cobra RAT,” the agency said.

Back to the list

Latest Posts

Palmerworm cyber-spies hide in compromised networks for months

Palmerworm cyber-spies hide in compromised networks for months

A new espionage campaign targets companies in Japan, Taiwan, the U.S., and China.
30 September 2020
Healthcare provider UHS hit by a ransomware attack

Healthcare provider UHS hit by a ransomware attack

The cause of the incident is believed to be the Ryuk ransomware.
29 September 2020
Apple fixed four dangerous vulnerabilities in macOS

Apple fixed four dangerous vulnerabilities in macOS

Exploitation of some of the problems allows arbitrary code execution on the system.
28 September 2020