SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blindingcan (Back to overview)

BLINDINGCAN

aka: DRATzarus RAT

Actor(s): Lazarus Group


According to SentinelOne, this RAT can gather and transmit a defined set of system features, create/terminate/manipulate processes and files, and has self-updating and deletion capability.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-12-15HvS-Consulting AGHvS-Consulting AG
@techreport{ag:20201215:greetings:a5b59d9, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, institution = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf}, language = {English}, urldate = {2020-12-16} } Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz
2020-12-15HvS-Consulting AGHvS-Consulting AG
@online{ag:20201215:greetings:452ef44, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus: Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, organization = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/lazarus-report/}, language = {English}, urldate = {2021-01-21} } Greetings from Lazarus: Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz Lazarus Group
2020-09-29JPCERT/CCShusei Tomonaga
@online{tomonaga:20200929:blindingcan:a85ca22, author = {Shusei Tomonaga}, title = {{BLINDINGCAN - Malware Used by Lazarus}}, date = {2020-09-29}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html}, language = {English}, urldate = {2020-10-02} } BLINDINGCAN - Malware Used by Lazarus
BLINDINGCAN Lazarus Group
2020-08-31SentinelOneJim Walter
@online{walter:20200831:blindingcan:cdb0ffc, author = {Jim Walter}, title = {{The BLINDINGCAN RAT and Malicious North Korean Activity}}, date = {2020-08-31}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/}, language = {English}, urldate = {2020-09-01} } The BLINDINGCAN RAT and Malicious North Korean Activity
BLINDINGCAN
2020-08-19US-CERTUS-CERT
@online{uscert:20200819:malware:63a2025, author = {US-CERT}, title = {{Malware Analysis Report (AR20-232A)}}, date = {2020-08-19}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a}, language = {English}, urldate = {2020-09-01} } Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
Yara Rules
[TLP:WHITE] win_blindingcan_auto (20211008 | Detects win.blindingcan.)
rule win_blindingcan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.blindingcan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c785ecfcffff529bba20 c785f0fcffffb219e08f c785f4fcffff7939d39d c785f8fcffffe25fcedf }
            // n = 4, score = 300
            //   c785ecfcffff529bba20     | mov    dword ptr [ebp - 0x314], 0x20ba9b52
            //   c785f0fcffffb219e08f     | mov    dword ptr [ebp - 0x310], 0x8fe019b2
            //   c785f4fcffff7939d39d     | mov    dword ptr [ebp - 0x30c], 0x9dd33979
            //   c785f8fcffffe25fcedf     | mov    dword ptr [ebp - 0x308], 0xdfce5fe2

        $sequence_1 = { c78540ffffff58ae20c3 c78544ffffffbc77a3dc c78548ffffffcc055897 c7854cffffff7c1e00d1 c78550ffffffcc3e05db c78554ffffffadda5315 }
            // n = 6, score = 300
            //   c78540ffffff58ae20c3     | mov    dword ptr [ebp - 0xc0], 0xc320ae58
            //   c78544ffffffbc77a3dc     | mov    dword ptr [ebp - 0xbc], 0xdca377bc
            //   c78548ffffffcc055897     | mov    dword ptr [ebp - 0xb8], 0x975805cc
            //   c7854cffffff7c1e00d1     | mov    dword ptr [ebp - 0xb4], 0xd1001e7c
            //   c78550ffffffcc3e05db     | mov    dword ptr [ebp - 0xb0], 0xdb053ecc
            //   c78554ffffffadda5315     | mov    dword ptr [ebp - 0xac], 0x1553daad

        $sequence_2 = { c78558feffff10c0aac6 c7855cfeffff489a8471 c78560feffff9cab4ad6 c78564feffff67cf2900 c78568feffff02dbaeb5 c7856cfeffffebe25848 }
            // n = 6, score = 300
            //   c78558feffff10c0aac6     | mov    dword ptr [ebp - 0x1a8], 0xc6aac010
            //   c7855cfeffff489a8471     | mov    dword ptr [ebp - 0x1a4], 0x71849a48
            //   c78560feffff9cab4ad6     | mov    dword ptr [ebp - 0x1a0], 0xd64aab9c
            //   c78564feffff67cf2900     | mov    dword ptr [ebp - 0x19c], 0x29cf67
            //   c78568feffff02dbaeb5     | mov    dword ptr [ebp - 0x198], 0xb5aedb02
            //   c7856cfeffffebe25848     | mov    dword ptr [ebp - 0x194], 0x4858e2eb

        $sequence_3 = { 48 83f801 7df3 8a440eff }
            // n = 4, score = 300
            //   48                   | dec                 eax
            //   83f801               | cmp                 eax, 1
            //   7df3                 | jge                 0xfffffff5
            //   8a440eff             | mov                 al, byte ptr [esi + ecx - 1]

        $sequence_4 = { 8b4df8 83c40c f7d8 1bc0 83e002 33cd }
            // n = 6, score = 300
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   83c40c               | add                 esp, 0xc
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   83e002               | and                 eax, 2
            //   33cd                 | xor                 ecx, ebp

        $sequence_5 = { c745ccec723768 c745d01a51c3d9 c745d46744180d c745d8f55e7aea }
            // n = 4, score = 300
            //   c745ccec723768       | mov                 dword ptr [ebp - 0x34], 0x683772ec
            //   c745d01a51c3d9       | mov                 dword ptr [ebp - 0x30], 0xd9c3511a
            //   c745d46744180d       | mov                 dword ptr [ebp - 0x2c], 0xd184467
            //   c745d8f55e7aea       | mov                 dword ptr [ebp - 0x28], 0xea7a5ef5

        $sequence_6 = { c78504feffff51456b07 c78508feffff788f2ba1 c7850cfeffff02c729c1 c78510feffffe7d792f3 c78514feffff91323bf3 }
            // n = 5, score = 300
            //   c78504feffff51456b07     | mov    dword ptr [ebp - 0x1fc], 0x76b4551
            //   c78508feffff788f2ba1     | mov    dword ptr [ebp - 0x1f8], 0xa12b8f78
            //   c7850cfeffff02c729c1     | mov    dword ptr [ebp - 0x1f4], 0xc129c702
            //   c78510feffffe7d792f3     | mov    dword ptr [ebp - 0x1f0], 0xf392d7e7
            //   c78514feffff91323bf3     | mov    dword ptr [ebp - 0x1ec], 0xf33b3291

        $sequence_7 = { c7851cfeffffca0f3f3b c78520feffff879d0358 c78524feffffa1e40f11 c78528feffff91d87472 c7852cfeffff05d2ecb6 c78530feffff0dc9ffe5 }
            // n = 6, score = 300
            //   c7851cfeffffca0f3f3b     | mov    dword ptr [ebp - 0x1e4], 0x3b3f0fca
            //   c78520feffff879d0358     | mov    dword ptr [ebp - 0x1e0], 0x58039d87
            //   c78524feffffa1e40f11     | mov    dword ptr [ebp - 0x1dc], 0x110fe4a1
            //   c78528feffff91d87472     | mov    dword ptr [ebp - 0x1d8], 0x7274d891
            //   c7852cfeffff05d2ecb6     | mov    dword ptr [ebp - 0x1d4], 0xb6ecd205
            //   c78530feffff0dc9ffe5     | mov    dword ptr [ebp - 0x1d0], 0xe5ffc90d

        $sequence_8 = { 8bca e8???????? 85c0 7409 e8???????? }
            // n = 5, score = 200
            //   8bca                 | mov                 ecx, edx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   e8????????           |                     

        $sequence_9 = { 99 f7fe 8bca e8???????? }
            // n = 4, score = 200
            //   99                   | cdq                 
            //   f7fe                 | idiv                esi
            //   8bca                 | mov                 ecx, edx
            //   e8????????           |                     

        $sequence_10 = { ff15???????? 488bc8 ff15???????? 488d15a0920000 488bce 488905???????? }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   488bc8               | dec                 ecx
            //   ff15????????         |                     
            //   488d15a0920000       | sub                 ecx, edi
            //   488bce               | dec                 esp
            //   488905????????       |                     

        $sequence_11 = { 8801 4903cf 492bd7 75e2 4885d2 7503 492bcf }
            // n = 7, score = 100
            //   8801                 | inc                 edx
            //   4903cf               | movzx               edx, byte ptr [esp + eax + 0x20]
            //   492bd7               | add                 bl, dl
            //   75e2                 | movzx               ecx, bl
            //   4885d2               | mov                 al, byte ptr [esp + ecx + 0x20]
            //   7503                 | inc                 edx
            //   492bcf               | mov                 byte ptr [esp + eax + 0x20], al

        $sequence_12 = { 41fec3 450fb6c3 420fb6540420 02da 0fb6cb 8a440c20 4288440420 }
            // n = 7, score = 100
            //   41fec3               | dec                 esp
            //   450fb6c3             | mov                 ecx, dword ptr [esp + 0x30]
            //   420fb6540420         | lea                 ecx, dword ptr [ebx + eax + 0x10]
            //   02da                 | inc                 ecx
            //   0fb6cb               | inc                 bl
            //   8a440c20             | inc                 ebp
            //   4288440420           | movzx               eax, bl

        $sequence_13 = { e8???????? 4c8d9c2470170000 498b5b30 498b7338 498b7b40 498be3 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   4c8d9c2470170000     | mov                 byte ptr [ecx], al
            //   498b5b30             | dec                 ecx
            //   498b7338             | add                 ecx, edi
            //   498b7b40             | dec                 ecx
            //   498be3               | sub                 edx, edi

        $sequence_14 = { c745c420000000 ff15???????? 85c0 0f84d1000000 488d0d8dd30100 e8???????? }
            // n = 6, score = 100
            //   c745c420000000       | jne                 0xffffffe7
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   0f84d1000000         | test                edx, edx
            //   488d0d8dd30100       | jne                 0xd
            //   e8????????           |                     

        $sequence_15 = { 4889442440 ff15???????? 488d4c247c 8bd8 ff15???????? 4c8b4c2430 8d4c0310 }
            // n = 7, score = 100
            //   4889442440           | dec                 eax
            //   ff15????????         |                     
            //   488d4c247c           | mov                 dword ptr [esp + 0x40], eax
            //   8bd8                 | dec                 eax
            //   ff15????????         |                     
            //   4c8b4c2430           | lea                 ecx, dword ptr [esp + 0x7c]
            //   8d4c0310             | mov                 ebx, eax

    condition:
        7 of them and filesize < 363520
}
[TLP:WHITE] win_blindingcan_w0   (20200901 | Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT)
rule win_blindingcan_w0 {
   meta:
       author = "CISA Code & Media Analysis"
       incident = "10135536"
       date = "2018-05-04"
       actor = "Lazarus Group"
       actor_type = "APT"
       category = "malware"
       family = "BLINDINGCAN"
       description = "Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT"
       hash = "1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954"
       hash = "7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799"
       hash = "96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a"
       hash = "f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3"
       source = "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"
       malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
       malpedia_version = "20200901"
       malpedia_sharing = "TLP:WHITE"
       malpedia_license = ""
   strings:
       $s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
       $s1 = { 50 4D 53 2A 2E 74 6D 70 }
       $s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 }
   condition:
       any of them
}
Download all Yara Rules