SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blindingcan (Back to overview)

BLINDINGCAN

aka: DRATzarus RAT

Actor(s): Lazarus Group


According to SentinelOne, this RAT can gather and transmit a defined set of system features, create/terminate/manipulate processes and files, and has self-updating and deletion capability.

References
2022-09-30ESET ResearchPeter Kálnai
@online{klnai:20220930:amazonthemed:bf959b5, author = {Peter Kálnai}, title = {{Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium}}, date = {2022-09-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/}, language = {English}, urldate = {2022-10-12} } Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
BLINDINGCAN
2022-09-14Mandiantmacla, Mathew Potaczek, Nino Isakovic, Matt Williams, Yash Gupta
@online{macla:20220914:its:1d63d78, author = {macla and Mathew Potaczek and Nino Isakovic and Matt Williams and Yash Gupta}, title = {{It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp}}, date = {2022-09-14}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing}, language = {English}, urldate = {2022-09-19} } It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp
BLINDINGCAN
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2020-12-15HvS-Consulting AGHvS-Consulting AG
@online{ag:20201215:greetings:452ef44, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus: Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, organization = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/lazarus-report/}, language = {English}, urldate = {2021-01-21} } Greetings from Lazarus: Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz Lazarus Group
2020-12-15HvS-Consulting AGHvS-Consulting AG
@techreport{ag:20201215:greetings:a5b59d9, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, institution = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf}, language = {English}, urldate = {2020-12-16} } Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz
2020-09-29JPCERT/CCShusei Tomonaga
@online{tomonaga:20200929:blindingcan:a85ca22, author = {Shusei Tomonaga}, title = {{BLINDINGCAN - Malware Used by Lazarus}}, date = {2020-09-29}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html}, language = {English}, urldate = {2020-10-02} } BLINDINGCAN - Malware Used by Lazarus
BLINDINGCAN Lazarus Group
2020-08-31SentinelOneJim Walter
@online{walter:20200831:blindingcan:cdb0ffc, author = {Jim Walter}, title = {{The BLINDINGCAN RAT and Malicious North Korean Activity}}, date = {2020-08-31}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/}, language = {English}, urldate = {2020-09-01} } The BLINDINGCAN RAT and Malicious North Korean Activity
BLINDINGCAN
2020-08-19US-CERTUS-CERT
@online{uscert:20200819:malware:63a2025, author = {US-CERT}, title = {{Malware Analysis Report (AR20-232A)}}, date = {2020-08-19}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a}, language = {English}, urldate = {2020-09-01} } Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
Yara Rules
[TLP:WHITE] win_blindingcan_auto (20221125 | Detects win.blindingcan.)
rule win_blindingcan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.blindingcan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c785c4feffff7c9f1888 c785c8feffff1ce6ae9e c785ccfeffff64ceb0a1 c785d0feffff2d58cb71 }
            // n = 4, score = 300
            //   c785c4feffff7c9f1888     | mov    dword ptr [ebp - 0x13c], 0x88189f7c
            //   c785c8feffff1ce6ae9e     | mov    dword ptr [ebp - 0x138], 0x9eaee61c
            //   c785ccfeffff64ceb0a1     | mov    dword ptr [ebp - 0x134], 0xa1b0ce64
            //   c785d0feffff2d58cb71     | mov    dword ptr [ebp - 0x130], 0x71cb582d

        $sequence_1 = { 8bf1 6a2e 56 33db }
            // n = 4, score = 300
            //   8bf1                 | mov                 esi, ecx
            //   6a2e                 | push                0x2e
            //   56                   | push                esi
            //   33db                 | xor                 ebx, ebx

        $sequence_2 = { c745ac3a39b69d c745b08c5fbadf c745b4e13300b2 c745b8ae845aa6 c745bc859d0981 c745c0dca79da5 }
            // n = 6, score = 300
            //   c745ac3a39b69d       | mov                 dword ptr [ebp - 0x54], 0x9db6393a
            //   c745b08c5fbadf       | mov                 dword ptr [ebp - 0x50], 0xdfba5f8c
            //   c745b4e13300b2       | mov                 dword ptr [ebp - 0x4c], 0xb20033e1
            //   c745b8ae845aa6       | mov                 dword ptr [ebp - 0x48], 0xa65a84ae
            //   c745bc859d0981       | mov                 dword ptr [ebp - 0x44], 0x81099d85
            //   c745c0dca79da5       | mov                 dword ptr [ebp - 0x40], 0xa59da7dc

        $sequence_3 = { c785b4feffff607960b9 c785b8feffff2109b8da c785bcfeffff91fd949b c785c0feffff10d43c68 }
            // n = 4, score = 300
            //   c785b4feffff607960b9     | mov    dword ptr [ebp - 0x14c], 0xb9607960
            //   c785b8feffff2109b8da     | mov    dword ptr [ebp - 0x148], 0xdab80921
            //   c785bcfeffff91fd949b     | mov    dword ptr [ebp - 0x144], 0x9b94fd91
            //   c785c0feffff10d43c68     | mov    dword ptr [ebp - 0x140], 0x683cd410

        $sequence_4 = { 0510270000 6840200000 50 e8???????? 83c40c }
            // n = 5, score = 300
            //   0510270000           | add                 eax, 0x2710
            //   6840200000           | push                0x2040
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_5 = { 7d10 68???????? 57 ff15???????? 85c0 }
            // n = 5, score = 300
            //   7d10                 | jge                 0x12
            //   68????????           |                     
            //   57                   | push                edi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_6 = { c745a453e8ba52 c745a8b67dbc8f c745ac3a39b69d c745b08c5fbadf }
            // n = 4, score = 300
            //   c745a453e8ba52       | mov                 dword ptr [ebp - 0x5c], 0x52bae853
            //   c745a8b67dbc8f       | mov                 dword ptr [ebp - 0x58], 0x8fbc7db6
            //   c745ac3a39b69d       | mov                 dword ptr [ebp - 0x54], 0x9db6393a
            //   c745b08c5fbadf       | mov                 dword ptr [ebp - 0x50], 0xdfba5f8c

        $sequence_7 = { ff15???????? 85c0 7508 8b36 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   8b36                 | mov                 esi, dword ptr [esi]

        $sequence_8 = { 99 f7fe 8bca e8???????? 85c0 7409 }
            // n = 6, score = 200
            //   99                   | cdq                 
            //   f7fe                 | idiv                esi
            //   8bca                 | mov                 ecx, edx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb

        $sequence_9 = { 4885c0 0f8484000000 8b5548 b940000000 4803d2 ff15???????? 488bf8 }
            // n = 7, score = 100
            //   4885c0               | dec                 eax
            //   0f8484000000         | test                esi, esi
            //   8b5548               | je                  0xb
            //   b940000000           | dec                 eax
            //   4803d2               | mov                 ecx, esi
            //   ff15????????         |                     
            //   488bf8               | dec                 eax

        $sequence_10 = { ff15???????? 448bcb 4c8bc6 33d2 8bc8 897c2428 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   448bcb               | inc                 esp
            //   4c8bc6               | mov                 ecx, ebx
            //   33d2                 | dec                 esp
            //   8bc8                 | mov                 eax, esi
            //   897c2428             | xor                 edx, edx

        $sequence_11 = { 488b1b 4885db 7446 ebcc 488d45d8 41b820000000 4881c3c0010000 }
            // n = 7, score = 100
            //   488b1b               | dec                 eax
            //   4885db               | add                 edx, edx
            //   7446                 | dec                 eax
            //   ebcc                 | mov                 edi, eax
            //   488d45d8             | inc                 ecx
            //   41b820000000         | mov                 eax, ebx
            //   4881c3c0010000       | inc                 ecx

        $sequence_12 = { 4d3bd8 72c6 84c9 7409 41ffc1 fec9 884c1410 }
            // n = 7, score = 100
            //   4d3bd8               | je                  0xfe
            //   72c6                 | dec                 eax
            //   84c9                 | lea                 ecx, [0x180ab]
            //   7409                 | dec                 ebp
            //   41ffc1               | cmp                 ebx, eax
            //   fec9                 | jb                  0xffffffc8
            //   884c1410             | test                cl, cl

        $sequence_13 = { 418bc3 418b9c9410c70100 c1e818 0fb6c8 8bc7 41339c8c10bf0100 c1e810 }
            // n = 7, score = 100
            //   418bc3               | test                edi, edi
            //   418b9c9410c70100     | je                  0x13
            //   c1e818               | dec                 eax
            //   0fb6c8               | test                eax, eax
            //   8bc7                 | je                  0x8a
            //   41339c8c10bf0100     | mov                 edx, dword ptr [ebp + 0x48]
            //   c1e810               | mov                 ecx, 0x40

        $sequence_14 = { ff15???????? 8bd8 85c0 0f84f6000000 488d0dab800100 ff15???????? }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8bd8                 | mov                 ecx, eax
            //   85c0                 | mov                 dword ptr [esp + 0x28], edi
            //   0f84f6000000         | mov                 ebx, eax
            //   488d0dab800100       | test                eax, eax
            //   ff15????????         |                     

        $sequence_15 = { ff15???????? 4885f6 7409 488bce ff15???????? 4885ff 7409 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   4885f6               | je                  0xf
            //   7409                 | inc                 ecx
            //   488bce               | inc                 ecx
            //   ff15????????         |                     
            //   4885ff               | dec                 cl
            //   7409                 | mov                 byte ptr [esp + edx + 0x10], cl

    condition:
        7 of them and filesize < 363520
}
[TLP:WHITE] win_blindingcan_w0   (20200901 | Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT)
rule win_blindingcan_w0 {
   meta:
       author = "CISA Code & Media Analysis"
       incident = "10135536"
       date = "2018-05-04"
       actor = "Lazarus Group"
       actor_type = "APT"
       category = "malware"
       family = "BLINDINGCAN"
       description = "Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT"
       hash = "1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954"
       hash = "7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799"
       hash = "96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a"
       hash = "f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3"
       source = "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"
       malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
       malpedia_version = "20200901"
       malpedia_sharing = "TLP:WHITE"
       malpedia_license = ""
   strings:
       $s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
       $s1 = { 50 4D 53 2A 2E 74 6D 70 }
       $s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 }
   condition:
       any of them
}
Download all Yara Rules