US government organization publishes analysis information of new type malware'BLINDING CAN' used by North Korean hacker group

U.S. Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) attack targeting government contractors by hacker group allegedly supported by North Korea on August 19, 2020 We have released an analysis report summarizing the information on the remote access Trojan (RAT) malware ' BLINDINGCAN ' used in.

MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN | CISA
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a

FBI, DHS expose North Korean government malware used in fake job posting campaign
https://www.cyberscoop.com/north-korean-government-malware-hacking-fake-job-fbi-dhs/

US govt exposes new North Korean BLINDINGCAN backdoor malware
https://www.bleepingcomputer.com/news/security/us-govt-exposes-new-north-korean-blindingcan-backdoor-malware/

This malware is said to be used by hacking groups called ' APT38 ' or 'Lazarus' and 'Hidden Cobra'. APT38 is said to be sponsored by the North Korean government, has been tricking billions of yen by accessing banks around the world and is suspected to be involved in the creation of ransomware ' WannaCry '.

It turned out that a North Korean hacker group had illegally withdrawn tens of billions of yen from banks around the world-GIGAZINE

According to the analysis report, BLINDING CAN has a built-in 'function for remote operation that provides various functions to the victim's system'. APT38 seems to have installed malware by opening a spoofed file as an XML document, and CISA revealed that it acquired 4 types of XML documents related to BLINDING CAN and 2 types of DLLs. ..

BLINDINGCAN specifically has the following functions.
· Get information about all installed disks, such as disk type and free disk space
· Creating, starting, and ending a new process and its primary thread
・File search, read, write, move, execute
-Getting and changing the time stamp of files and directories
-Change the current directory of processes and files
Erases itself and traces from infected systems

The Israeli Ministry of Defense announced on August 12, 2020 that 'a hacker group involving the North Korean government has contacted Boeing and other aviation and defense companies officials for hacking purposes.' The tactic is that an APT38 hacker, who pretended to be a job applicant, sent a fake job offer via the business SNS LinkedIn to approach the HR department and attempted hacking by installing malware through the messaging app WhatsApp. I am using it and I am not sure whether BLINDINGCAN was used, but at least two of the files detected from the actually damaged PC were the same as those obtained by CISA.

'I'm convinced that APT38 hackers are using malware variants in combination with proxy servers to continue to exist on the victim's network while still exploiting the network,' the FBI reports. Said. In addition, in May 2020, the FBI and CISA have prepared up to $5 million (about 500 million yen) in compensation to provide information on North Korean hacker groups including APT38.