SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blindingcan (Back to overview)

BLINDINGCAN

aka: AIRDRY, ZetaNile

Actor(s): Lazarus Group


BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S).
It uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic.
It sends information about the victim's environment, like computer name, IP, Windows product name and processor name.
It supports around 30 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers' C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped.
It uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc.
It contains specific RTTI symbols like ".?AVCHTTP_Protocol@@", ".?AVCFileRW@@" or ".?AVCSinSocket@@".
BLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022.

References
2023-10-04Virus BulletinPeter Kálnai
@techreport{klnai:20231004:lazarus:9c0141c, author = {Peter Kálnai}, title = {{Lazarus Campaigns and Backdoors in 2022-23}}, date = {2023-10-04}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf}, language = {English}, urldate = {2023-11-27} } Lazarus Campaigns and Backdoors in 2022-23
3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SnatchCrypto WebbyTea WinInetLoader
2023-04-12Kaspersky LabsSeongsu Park
@online{park:20230412:following:851b624, author = {Seongsu Park}, title = {{Following the Lazarus group by tracking DeathNote campaign}}, date = {2023-04-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-lazarus-group-deathnote-campaign/109490/}, language = {English}, urldate = {2023-11-27} } Following the Lazarus group by tracking DeathNote campaign
Bankshot BLINDINGCAN ForestTiger LambLoad LPEClient MimiKatz NedDnLoader Racket Downloader Volgmer
2022-09-30ESET ResearchPeter Kálnai
@online{klnai:20220930:amazonthemed:bf959b5, author = {Peter Kálnai}, title = {{Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium}}, date = {2022-09-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/}, language = {English}, urldate = {2023-11-27} } Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
BLINDINGCAN FudModule HTTP(S) uploader LambLoad TOUCHMOVE
2022-09-29MicrosoftMicrosoft Security Threat Intelligence, LinkedIn Threat Prevention and Defense
@online{intelligence:20220929:zinc:4b8e6c0, author = {Microsoft Security Threat Intelligence and LinkedIn Threat Prevention and Defense}, title = {{ZINC weaponizing open-source software}}, date = {2022-09-29}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/}, language = {English}, urldate = {2023-11-14} } ZINC weaponizing open-source software
BLINDINGCAN CLOUDBURST miniBlindingCan
2022-09-14MandiantJames Maclachlan, Mathew Potaczek, Nino Isakovic, Matt Williams, Yash Gupta
@online{maclachlan:20220914:its:1d63d78, author = {James Maclachlan and Mathew Potaczek and Nino Isakovic and Matt Williams and Yash Gupta}, title = {{It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp}}, date = {2022-09-14}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing}, language = {English}, urldate = {2023-10-18} } It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp
BLINDINGCAN miniBlindingCan sRDI
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2020-12-15HvS-Consulting AGHvS-Consulting AG
@online{ag:20201215:greetings:452ef44, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus: Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, organization = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/lazarus-report/}, language = {English}, urldate = {2021-01-21} } Greetings from Lazarus: Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz Lazarus Group
2020-12-15HvS-Consulting AGHvS-Consulting AG
@techreport{ag:20201215:greetings:a5b59d9, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, institution = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf}, language = {English}, urldate = {2023-07-10} } Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN HTTP(S) uploader MimiKatz
2020-09-29JPCERT/CCShusei Tomonaga
@online{tomonaga:20200929:blindingcan:a85ca22, author = {Shusei Tomonaga}, title = {{BLINDINGCAN - Malware Used by Lazarus}}, date = {2020-09-29}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html}, language = {English}, urldate = {2020-10-02} } BLINDINGCAN - Malware Used by Lazarus
BLINDINGCAN Lazarus Group
2020-08-31SentinelOneJim Walter
@online{walter:20200831:blindingcan:cdb0ffc, author = {Jim Walter}, title = {{The BLINDINGCAN RAT and Malicious North Korean Activity}}, date = {2020-08-31}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/}, language = {English}, urldate = {2020-09-01} } The BLINDINGCAN RAT and Malicious North Korean Activity
BLINDINGCAN
2020-08-19US-CERTUS-CERT
@online{uscert:20200819:malware:63a2025, author = {US-CERT}, title = {{Malware Analysis Report (AR20-232A)}}, date = {2020-08-19}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a}, language = {English}, urldate = {2020-09-01} } Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
2020-08-19CISACISA
@online{cisa:20200819:mar102951341v1:e21aadf, author = {CISA}, title = {{MAR-10295134-1.v1 - North Korean Remote Access Trojan: BLINDINGCAN}}, date = {2020-08-19}, organization = {CISA}, url = {https://www.cisa.gov/news-events/analysis-reports/ar20-232a}, language = {English}, urldate = {2023-08-11} } MAR-10295134-1.v1 - North Korean Remote Access Trojan: BLINDINGCAN
BLINDINGCAN
Yara Rules
[TLP:WHITE] win_blindingcan_auto (20230715 | Detects win.blindingcan.)
rule win_blindingcan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.blindingcan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c78504fdfffff79d6681 c78508fdffffbfa7f8a5 c7850cfdffffa0118db8 c78510fdffff4d3feb78 c78514fdffff7532479f c78518fdffffe35bc9c0 }
            // n = 6, score = 300
            //   c78504fdfffff79d6681     | mov    dword ptr [ebp - 0x2fc], 0x81669df7
            //   c78508fdffffbfa7f8a5     | mov    dword ptr [ebp - 0x2f8], 0xa5f8a7bf
            //   c7850cfdffffa0118db8     | mov    dword ptr [ebp - 0x2f4], 0xb88d11a0
            //   c78510fdffff4d3feb78     | mov    dword ptr [ebp - 0x2f0], 0x78eb3f4d
            //   c78514fdffff7532479f     | mov    dword ptr [ebp - 0x2ec], 0x9f473275
            //   c78518fdffffe35bc9c0     | mov    dword ptr [ebp - 0x2e8], 0xc0c95be3

        $sequence_1 = { c7858cfeffffafe2e55a c78590feffff74c31dff c78594feffff657f9183 c78598feffffa78b5b05 c7859cfeffff87f53e0c c785a0feffff074f9b22 }
            // n = 6, score = 300
            //   c7858cfeffffafe2e55a     | mov    dword ptr [ebp - 0x174], 0x5ae5e2af
            //   c78590feffff74c31dff     | mov    dword ptr [ebp - 0x170], 0xff1dc374
            //   c78594feffff657f9183     | mov    dword ptr [ebp - 0x16c], 0x83917f65
            //   c78598feffffa78b5b05     | mov    dword ptr [ebp - 0x168], 0x55b8ba7
            //   c7859cfeffff87f53e0c     | mov    dword ptr [ebp - 0x164], 0xc3ef587
            //   c785a0feffff074f9b22     | mov    dword ptr [ebp - 0x160], 0x229b4f07

        $sequence_2 = { a3???????? eb0b 6a00 50 e8???????? 83c40c 680c200000 }
            // n = 7, score = 300
            //   a3????????           |                     
            //   eb0b                 | jmp                 0xd
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   680c200000           | push                0x200c

        $sequence_3 = { c745ec64a9e9c4 c745f0c89c157b c745f4f30dc5f5 c745f867cdf11d e8???????? }
            // n = 5, score = 300
            //   c745ec64a9e9c4       | mov                 dword ptr [ebp - 0x14], 0xc4e9a964
            //   c745f0c89c157b       | mov                 dword ptr [ebp - 0x10], 0x7b159cc8
            //   c745f4f30dc5f5       | mov                 dword ptr [ebp - 0xc], 0xf5c50df3
            //   c745f867cdf11d       | mov                 dword ptr [ebp - 8], 0x1df1cd67
            //   e8????????           |                     

        $sequence_4 = { 8bec 51 68dd020000 6a00 }
            // n = 4, score = 300
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   68dd020000           | push                0x2dd
            //   6a00                 | push                0

        $sequence_5 = { c785e8fdffff6dbfc790 c785ecfdffff9e14e675 c785f0fdffff5e15f8d2 c785f4fdffff7f5e6709 c785f8fdffff288adf2f }
            // n = 5, score = 300
            //   c785e8fdffff6dbfc790     | mov    dword ptr [ebp - 0x218], 0x90c7bf6d
            //   c785ecfdffff9e14e675     | mov    dword ptr [ebp - 0x214], 0x75e6149e
            //   c785f0fdffff5e15f8d2     | mov    dword ptr [ebp - 0x210], 0xd2f8155e
            //   c785f4fdffff7f5e6709     | mov    dword ptr [ebp - 0x20c], 0x9675e7f
            //   c785f8fdffff288adf2f     | mov    dword ptr [ebp - 0x208], 0x2fdf8a28

        $sequence_6 = { c785b0feffff81f9b8a8 c785b4feffff607960b9 c785b8feffff2109b8da c785bcfeffff91fd949b c785c0feffff10d43c68 c785c4feffff7c9f1888 c785c8feffff1ce6ae9e }
            // n = 7, score = 300
            //   c785b0feffff81f9b8a8     | mov    dword ptr [ebp - 0x150], 0xa8b8f981
            //   c785b4feffff607960b9     | mov    dword ptr [ebp - 0x14c], 0xb9607960
            //   c785b8feffff2109b8da     | mov    dword ptr [ebp - 0x148], 0xdab80921
            //   c785bcfeffff91fd949b     | mov    dword ptr [ebp - 0x144], 0x9b94fd91
            //   c785c0feffff10d43c68     | mov    dword ptr [ebp - 0x140], 0x683cd410
            //   c785c4feffff7c9f1888     | mov    dword ptr [ebp - 0x13c], 0x88189f7c
            //   c785c8feffff1ce6ae9e     | mov    dword ptr [ebp - 0x138], 0x9eaee61c

        $sequence_7 = { c745e067a76cb1 c745e484d9e35c c745e8a9840ef6 c745ec0d06092a c745f0864886f7 c745f40d010101 }
            // n = 6, score = 300
            //   c745e067a76cb1       | mov                 dword ptr [ebp - 0x20], 0xb16ca767
            //   c745e484d9e35c       | mov                 dword ptr [ebp - 0x1c], 0x5ce3d984
            //   c745e8a9840ef6       | mov                 dword ptr [ebp - 0x18], 0xf60e84a9
            //   c745ec0d06092a       | mov                 dword ptr [ebp - 0x14], 0x2a09060d
            //   c745f0864886f7       | mov                 dword ptr [ebp - 0x10], 0xf7864886
            //   c745f40d010101       | mov                 dword ptr [ebp - 0xc], 0x101010d

        $sequence_8 = { 8bca e8???????? 85c0 7409 e8???????? }
            // n = 5, score = 200
            //   8bca                 | mov                 ecx, edx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   e8????????           |                     

        $sequence_9 = { 99 f7fe 8bca e8???????? }
            // n = 4, score = 200
            //   99                   | cdq                 
            //   f7fe                 | idiv                esi
            //   8bca                 | mov                 ecx, edx
            //   e8????????           |                     

        $sequence_10 = { 4d8bf0 448bfa 488d8db1020000 4533ed 33d2 41b82f030000 44894c2454 }
            // n = 7, score = 100
            //   4d8bf0               | je                  0x5b
            //   448bfa               | dec                 eax
            //   488d8db1020000       | lea                 ecx, [esi + 0xc]
            //   4533ed               | dec                 eax
            //   33d2                 | lea                 edx, [esi + 0xc]
            //   41b82f030000         | dec                 eax
            //   44894c2454           | lea                 ecx, [0x1d047]

        $sequence_11 = { 33d2 33c9 443925???????? 4c89642428 4c8d0579ebffff 4489642420 7459 }
            // n = 7, score = 100
            //   33d2                 | dec                 eax
            //   33c9                 | lea                 eax, [edx + 0x7ffffefa]
            //   443925????????       |                     
            //   4c89642428           | dec                 eax
            //   4c8d0579ebffff       | test                eax, eax
            //   4489642420           | je                  0x18
            //   7459                 | inc                 ecx

        $sequence_12 = { ba04010000 4c2bc0 488d8db0020000 488d82fafeff7f 4885c0 7416 410fb70408 }
            // n = 7, score = 100
            //   ba04010000           | mov                 ecx, dword ptr [esp + 0x38]
            //   4c2bc0               | jmp                 0xa
            //   488d8db0020000       | mov                 edx, 0x104
            //   488d82fafeff7f       | dec                 esp
            //   4885c0               | sub                 eax, eax
            //   7416                 | dec                 eax
            //   410fb70408           | lea                 ecx, [ebp + 0x2b0]

        $sequence_13 = { 488d4520 4c8d4d60 4c8d050b7d0100 488d8d70010000 ba00040000 4889442420 e8???????? }
            // n = 7, score = 100
            //   488d4520             | dec                 esp
            //   4c8d4d60             | mov                 dword ptr [esp + 0x28], esp
            //   4c8d050b7d0100       | dec                 esp
            //   488d8d70010000       | lea                 eax, [0xffffeb79]
            //   ba00040000           | inc                 esp
            //   4889442420           | mov                 dword ptr [esp + 0x20], esp
            //   e8????????           |                     

        $sequence_14 = { 448b6c2430 eb08 ff15???????? 8bd8 488b4c2438 ff15???????? eb08 }
            // n = 7, score = 100
            //   448b6c2430           | inc                 esp
            //   eb08                 | mov                 ebp, dword ptr [esp + 0x30]
            //   ff15????????         |                     
            //   8bd8                 | jmp                 0xa
            //   488b4c2438           | mov                 ebx, eax
            //   ff15????????         |                     
            //   eb08                 | dec                 eax

        $sequence_15 = { e8???????? e9???????? 488d4e0c e8???????? e9???????? 488d560c 488d0d47d00100 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e9????????           |                     
            //   488d4e0c             | movzx               eax, word ptr [eax + ecx]
            //   e8????????           |                     
            //   e9????????           |                     
            //   488d560c             | xor                 edx, edx
            //   488d0d47d00100       | xor                 ecx, ecx

    condition:
        7 of them and filesize < 363520
}
[TLP:WHITE] win_blindingcan_w0   (20200901 | Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT)
rule win_blindingcan_w0 {
   meta:
       author = "CISA Code & Media Analysis"
       incident = "10135536"
       date = "2018-05-04"
       actor = "Lazarus Group"
       actor_type = "APT"
       category = "malware"
       family = "BLINDINGCAN"
       description = "Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT"
       hash = "1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954"
       hash = "7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799"
       hash = "96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a"
       hash = "f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3"
       source = "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"
       malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
       malpedia_version = "20200901"
       malpedia_sharing = "TLP:WHITE"
       malpedia_license = ""
   strings:
       $s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
       $s1 = { 50 4D 53 2A 2E 74 6D 70 }
       $s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 }
   condition:
       any of them
}
Download all Yara Rules