The US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert that describes a new malware strain employed by North Korean hacker group known as Lazarus group or Hidden Cobra in attacks against US and foreign companies operating in the military defense and aerospace sectors. Some of the attacks were attributed by the researchers to cyber espionage campaigns tracked as Operation North Star and Operation Dream Job.
The malware known as BLINDINGCAN was identified by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). According to the two agencies, BLINDINGCAN is a Remote Access Trojan which comes with built-in functions for remote operations that provide various capabilities on a victim’s system.
The malicious actors leverage this malware in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. This tactic was observed in campaigns aimed at stealing key military and energy technologies from government contractors.
The malicious campaigns involved the threat actors employing malicious documents with job offers to trick victims into installing the information-stealing malware on a target’s system. The hackers used compromised infrastructure from multiple countries to host their command and control (C2) infrastructure and distribute implants to a victim's system, according to the alert.
“CISA received four Microsoft Word Open Extensible Markup Language (XML) documents (.docx), two Dynamic-Link Libraries (DLLs). The .docx files attempt to connect to external domains for a download. A 32-bit and a 64-bit DLL was submitted that install a 32-bit and a 64-bit DLL named "iconcache.db" respectively. The DLL "iconcache.db" unpacks and executes a variant of Hidden Cobra RAT,” the agency said.