State-backed North Korean hackers are using a new Remote Access Trojan (RAT) named BLINDINGCAN to target defence contractors and steal intelligence surrounding key military and energy technologies, U.S. agencies FBI and CISA have warned.
In a report published on Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) along with the FBI warned about a malicious operation being conducted by state-backed North Korean hackers to target the devices and networks of defence contractors and steal information stored in their devices and servers.
The agencies warned that North Korean hackers are using a new Remote Access Trojan (RAT) named BLINDINGCAN in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. The malware is injected into targeted networks via a phishing campaign that involves the use of job postings from leading defense contractors to lure targeted victims into downloading malicious documents on their devices.
“The malicious documents employed in this campaign used job postings from leading defense contractors as lures and installed a data gathering implant on a victim’s system. This campaign utilized compromised infrastructure from multiple countries to host its command and control (C2) infrastructure and distribute implants to a victim’s system,” CISA said.
The BLINDINGCAN remote access trojan is capable of carrying out a number of functions such as collecting detailed information about all disks in a system, obtaining local IP address and processor details, initiating or terminating a new process, read, write, execute and move files, modify file or directory timestamps, and deleting itself from infected systems and cleaning its traces.
According to FBI and CISA, the BLINDINGCAN remote access trojan is being used actively by a North Korean Hacker group dubbed Hidden Cobra that performs cyber operations on behalf of the North Korean regime. Also known as the Lazarus Group, the hacker group has been found to be behind a number of cyber attacks targeting western organisations in the past decade.
In July, security firm Kaspersky also discovered a new ransomware variant being used by the Lazarus Group known as the VHD ransomware. The firm said that once it is inside a network, the ransomware is capable of crawling all connected disks to encrypt files and delete any folder called “System Volume Information” (which are linked to Windows’ restore point feature).
“The program also stops processes that could be locking important files, such as Microsoft Exchange and SQL Server. Files are encrypted with a combination of AES-256 in ECB mode and RSA-2048,” it added.