SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blindingcan (Back to overview)

BLINDINGCAN

aka: AIRDRY, ZetaNile

Actor(s): Lazarus Group

VTCollection    

BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S).
It uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic.
It sends information about the victim's environment, like computer name, IP, Windows product name and processor name.
It supports around 30 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers' C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped.
It uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc.
It contains specific RTTI symbols like ".?AVCHTTP_Protocol@@", ".?AVCFileRW@@" or ".?AVCSinSocket@@".
BLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022.

References
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2023-08-30Kaspersky LabsDavid Emm
IT threat evolution in Q2 2023
3CX Backdoor Bankshot BLINDINGCAN GoldMax Kazuar QUIETCANARY tomiris GoldenJackal
2023-04-12Kaspersky LabsSeongsu Park
Following the Lazarus group by tracking DeathNote campaign
Bankshot BLINDINGCAN ForestTiger LambLoad LPEClient MimiKatz NedDnLoader Racket Downloader Volgmer
2022-09-30ESET ResearchPeter Kálnai
Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
BLINDINGCAN FudModule HTTP(S) uploader LambLoad TOUCHMOVE
2022-09-29MicrosoftLinkedIn Threat Prevention and Defense, Microsoft Security Threat Intelligence
ZINC weaponizing open-source software
BLINDINGCAN CLOUDBURST miniBlindingCan
2022-09-14MandiantJames Maclachlan, Mathew Potaczek, Matt Williams, Nino Isakovic, Yash Gupta
It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp
BLINDINGCAN miniBlindingCan sRDI
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2020-12-15HvS-Consulting AGHvS-Consulting AG
Greetings from Lazarus: Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz Lazarus Group
2020-12-15HvS-Consulting AGHvS-Consulting AG
Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN HTTP(S) uploader MimiKatz
2020-09-29JPCERT/CCShusei Tomonaga
BLINDINGCAN - Malware Used by Lazarus
BLINDINGCAN Lazarus Group
2020-08-31SentinelOneJim Walter
The BLINDINGCAN RAT and Malicious North Korean Activity
BLINDINGCAN
2020-08-19US-CERTUS-CERT
Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
2020-08-19CISACISA
MAR-10295134-1.v1 - North Korean Remote Access Trojan: BLINDINGCAN
BLINDINGCAN
Yara Rules
[TLP:WHITE] win_blindingcan_auto (20230808 | Detects win.blindingcan.)
rule win_blindingcan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.blindingcan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c40c 68???????? 68???????? ff15???????? 689c040000 85c0 }
            // n = 6, score = 300
            //   83c40c               | mov                 dword ptr [ebp - 0x18], 0x1d9ccd5a
            //   68????????           |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   689c040000           | mov                 dword ptr [ebp - 0x14], 0x64f9c236
            //   85c0                 | mov                 dword ptr [ebp - 0x10], 0xae9f0da7

        $sequence_1 = { 750a 8b10 8994bdfcfdffff 47 83c00c 49 }
            // n = 6, score = 300
            //   750a                 | mov                 ecx, 0x4b0
            //   8b10                 | test                eax, eax
            //   8994bdfcfdffff       | jne                 0x2b
            //   47                   | je                  0xe
            //   83c00c               | test                al, 0x10
            //   49                   | je                  0xc

        $sequence_2 = { c785bcfdffff661fcba8 c785c0fdffffc0f0d181 c785c4fdffff1f08c3d4 c785c8fdffff28edbc6a c785ccfdffff12aff210 }
            // n = 5, score = 300
            //   c785bcfdffff661fcba8     | jne    0x3a
            //   c785c0fdffffc0f0d181     | dec    eax
            //   c785c4fdffff1f08c3d4     | lea    edx, [0x1480d]
            //   c785c8fdffff28edbc6a     | dec    eax
            //   c785ccfdffff12aff210     | lea    ecx, [0x1db0a]

        $sequence_3 = { c745e4ef0dfff5 c745e85acd9c1d c745ec36c2f964 c745f0a70d9fae c745f48f2aedf1 }
            // n = 5, score = 300
            //   c745e4ef0dfff5       | dec                 eax
            //   c745e85acd9c1d       | sub                 esp, 0xd00
            //   c745ec36c2f964       | dec                 eax
            //   c745f0a70d9fae       | xor                 eax, esp
            //   c745f48f2aedf1       | dec                 eax

        $sequence_4 = { c78594feffff657f9183 c78598feffffa78b5b05 c7859cfeffff87f53e0c c785a0feffff074f9b22 }
            // n = 4, score = 300
            //   c78594feffff657f9183     | mov    byte ptr [ebp + esi - 0x358], 1
            //   c78598feffffa78b5b05     | inc    esi
            //   c7859cfeffff87f53e0c     | cmp    esi, 0x1a
            //   c785a0feffff074f9b22     | mov    dword ptr [ebp - 0x1c], 0xf5ff0def

        $sequence_5 = { c745ac84b1df57 c745b0c8cbfee9 c745b4567e337f c745b8e958e686 }
            // n = 4, score = 300
            //   c745ac84b1df57       | mov                 dword ptr [ebp - 0xc], 0xf1ed2a8f
            //   c745b0c8cbfee9       | mov                 dword ptr [ebp - 0x1b8], 0x2cf6c2df
            //   c745b4567e337f       | mov                 dword ptr [ebp - 0x1b4], 0x33665117
            //   c745b8e958e686       | mov                 dword ptr [ebp - 0x1b0], 0x7e7e6cf7

        $sequence_6 = { c78548feffffdfc2f62c c7854cfeffff17516633 c78550fefffff76c7e7e c78554feffffa14b0c27 c78558feffff10c0aac6 c7855cfeffff489a8471 c78560feffff9cab4ad6 }
            // n = 7, score = 300
            //   c78548feffffdfc2f62c     | or    esi, 0xffffffff
            //   c7854cfeffff17516633     | dec    esp
            //   c78550fefffff76c7e7e     | mov    ebp, eax
            //   c78554feffffa14b0c27     | dec    eax
            //   c78558feffff10c0aac6     | mov    dword ptr [esp + 0x40], eax
            //   c7855cfeffff489a8471     | dec    eax
            //   c78560feffff9cab4ad6     | cmp    eax, esi

        $sequence_7 = { 740c a810 7408 c68435a8fcffff01 46 83fe1a }
            // n = 6, score = 300
            //   740c                 | inc                 ecx
            //   a810                 | push                esp
            //   7408                 | inc                 ecx
            //   c68435a8fcffff01     | push                ebp
            //   46                   | dec                 eax
            //   83fe1a               | lea                 ebp, [eax - 0xc18]

        $sequence_8 = { f7fe 8bca e8???????? 85c0 7409 e8???????? }
            // n = 6, score = 200
            //   f7fe                 | idiv                esi
            //   8bca                 | mov                 ecx, edx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   e8????????           |                     

        $sequence_9 = { 55 4154 4155 488da8e8f3ffff 4881ec000d0000 488b05???????? 4833c4 }
            // n = 7, score = 100
            //   55                   | je                  0x68
            //   4154                 | inc                 esp
            //   4155                 | mov                 eax, edi
            //   488da8e8f3ffff       | dec                 eax
            //   4881ec000d0000       | lea                 edx, [ebp - 0x40]
            //   488b05????????       |                     
            //   4833c4               | inc                 ecx

        $sequence_10 = { 8bd5 664489642422 6689442420 895c2428 e8???????? 8bd3 488bcf }
            // n = 7, score = 100
            //   8bd5                 | mov                 dword ptr [esp + 0x28], eax
            //   664489642422         | dec                 eax
            //   6689442420           | lea                 eax, [0x1d352]
            //   895c2428             | dec                 eax
            //   e8????????           |                     
            //   8bd3                 | lea                 edx, [0x13486]
            //   488bcf               | inc                 ebp

        $sequence_11 = { 85c0 751b e8???????? 4885c0 7461 448bc7 488d55c0 }
            // n = 7, score = 100
            //   85c0                 | dec                 eax
            //   751b                 | mov                 ecx, edi
            //   e8????????           |                     
            //   4885c0               | sub                 ecx, 0x2009
            //   7461                 | je                  0x70
            //   448bc7               | sub                 ecx, 7
            //   488d55c0             | je                  0x66

        $sequence_12 = { 81e909200000 746e 83e907 745f ffc9 744d ffc9 }
            // n = 7, score = 100
            //   81e909200000         | xor                 eax, eax
            //   746e                 | mov                 edx, ebp
            //   83e907               | inc                 sp
            //   745f                 | mov                 dword ptr [esp + 0x22], esp
            //   ffc9                 | mov                 word ptr [esp + 0x20], ax
            //   744d                 | mov                 dword ptr [esp + 0x28], ebx
            //   ffc9                 | mov                 edx, ebx

        $sequence_13 = { 410fb6c4 0fb68c2810be0100 41335518 400fb6c6 0fb6842810be0100 c1e108 33c8 }
            // n = 7, score = 100
            //   410fb6c4             | dec                 ecx
            //   0fb68c2810be0100     | je                  0x51
            //   41335518             | dec                 ecx
            //   400fb6c6             | test                eax, eax
            //   0fb6842810be0100     | jne                 0x1d
            //   c1e108               | dec                 eax
            //   33c8                 | test                eax, eax

        $sequence_14 = { 488b4dc8 488d45c0 4c8d4db0 4889442428 488d0552d30100 488d1586340100 4533c0 }
            // n = 7, score = 100
            //   488b4dc8             | dec                 eax
            //   488d45c0             | mov                 ecx, dword ptr [ebp - 0x38]
            //   4c8d4db0             | dec                 eax
            //   4889442428           | lea                 eax, [ebp - 0x40]
            //   488d0552d30100       | dec                 esp
            //   488d1586340100       | lea                 ecx, [ebp - 0x50]
            //   4533c0               | dec                 eax

        $sequence_15 = { ff15???????? 4883ceff 4c8be8 4889442440 483bc6 752d ff15???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   4883ceff             | movzx               eax, ah
            //   4c8be8               | movzx               ecx, byte ptr [eax + ebp + 0x1be10]
            //   4889442440           | inc                 ecx
            //   483bc6               | xor                 edx, dword ptr [ebp + 0x18]
            //   752d                 | inc                 eax
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 363520
}
[TLP:WHITE] win_blindingcan_w0   (20200901 | Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT)
rule win_blindingcan_w0 {
   meta:
       author = "CISA Code & Media Analysis"
       incident = "10135536"
       date = "2018-05-04"
       actor = "Lazarus Group"
       actor_type = "APT"
       category = "malware"
       family = "BLINDINGCAN"
       description = "Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT"
       hash = "1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954"
       hash = "7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799"
       hash = "96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a"
       hash = "f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3"
       source = "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"
       malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
       malpedia_version = "20200901"
       malpedia_sharing = "TLP:WHITE"
       malpedia_license = ""
   strings:
       $s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
       $s1 = { 50 4D 53 2A 2E 74 6D 70 }
       $s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 }
   condition:
       any of them
}
Download all Yara Rules