SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blindingcan (Back to overview)

BLINDINGCAN

aka: DRATzarus RAT

Actor(s): Lazarus Group


According to SentinelOne, this RAT can gather and transmit a defined set of system features, create/terminate/manipulate processes and files, and has self-updating and deletion capability.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-12-15HvS-Consulting AGHvS-Consulting AG
@techreport{ag:20201215:greetings:a5b59d9, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, institution = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf}, language = {English}, urldate = {2020-12-16} } Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz
2020-12-15HvS-Consulting AGHvS-Consulting AG
@online{ag:20201215:greetings:452ef44, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus: Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, organization = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/lazarus-report/}, language = {English}, urldate = {2021-01-21} } Greetings from Lazarus: Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz Lazarus Group
2020-09-29JPCERT/CCShusei Tomonaga
@online{tomonaga:20200929:blindingcan:a85ca22, author = {Shusei Tomonaga}, title = {{BLINDINGCAN - Malware Used by Lazarus}}, date = {2020-09-29}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html}, language = {English}, urldate = {2020-10-02} } BLINDINGCAN - Malware Used by Lazarus
BLINDINGCAN Lazarus Group
2020-08-31SentinelOneJim Walter
@online{walter:20200831:blindingcan:cdb0ffc, author = {Jim Walter}, title = {{The BLINDINGCAN RAT and Malicious North Korean Activity}}, date = {2020-08-31}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/}, language = {English}, urldate = {2020-09-01} } The BLINDINGCAN RAT and Malicious North Korean Activity
BLINDINGCAN
2020-08-19US-CERTUS-CERT
@online{uscert:20200819:malware:63a2025, author = {US-CERT}, title = {{Malware Analysis Report (AR20-232A)}}, date = {2020-08-19}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a}, language = {English}, urldate = {2020-09-01} } Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
Yara Rules
[TLP:WHITE] win_blindingcan_auto (20220516 | Detects win.blindingcan.)
rule win_blindingcan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.blindingcan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c785c8feffff1ce6ae9e c785ccfeffff64ceb0a1 c785d0feffff2d58cb71 c785d4feffff62c2f218 c785d8feffffcbdb9298 }
            // n = 5, score = 300
            //   c785c8feffff1ce6ae9e     | mov    dword ptr [ebp - 0x138], 0x9eaee61c
            //   c785ccfeffff64ceb0a1     | mov    dword ptr [ebp - 0x134], 0xa1b0ce64
            //   c785d0feffff2d58cb71     | mov    dword ptr [ebp - 0x130], 0x71cb582d
            //   c785d4feffff62c2f218     | mov    dword ptr [ebp - 0x12c], 0x18f2c262
            //   c785d8feffffcbdb9298     | mov    dword ptr [ebp - 0x128], 0x9892dbcb

        $sequence_1 = { c785a0fdffffb3b6e867 c785a4fdffff168f3833 c785a8fdffff226a96b8 c785acfdffffb98e4904 c785b0fdffff07e62ccf c785b4fdffff23810ef7 }
            // n = 6, score = 300
            //   c785a0fdffffb3b6e867     | mov    dword ptr [ebp - 0x260], 0x67e8b6b3
            //   c785a4fdffff168f3833     | mov    dword ptr [ebp - 0x25c], 0x33388f16
            //   c785a8fdffff226a96b8     | mov    dword ptr [ebp - 0x258], 0xb8966a22
            //   c785acfdffffb98e4904     | mov    dword ptr [ebp - 0x254], 0x4498eb9
            //   c785b0fdffff07e62ccf     | mov    dword ptr [ebp - 0x250], 0xcf2ce607
            //   c785b4fdffff23810ef7     | mov    dword ptr [ebp - 0x24c], 0xf70e8123

        $sequence_2 = { c745803b1456ad c74584cac240c7 c74588788e35c9 c7458cb6293481 c745902cab593c c74594a5337503 }
            // n = 6, score = 300
            //   c745803b1456ad       | mov                 dword ptr [ebp - 0x80], 0xad56143b
            //   c74584cac240c7       | mov                 dword ptr [ebp - 0x7c], 0xc740c2ca
            //   c74588788e35c9       | mov                 dword ptr [ebp - 0x78], 0xc9358e78
            //   c7458cb6293481       | mov                 dword ptr [ebp - 0x74], 0x813429b6
            //   c745902cab593c       | mov                 dword ptr [ebp - 0x70], 0x3c59ab2c
            //   c74594a5337503       | mov                 dword ptr [ebp - 0x6c], 0x37533a5

        $sequence_3 = { 8bec 51 68dd020000 6a00 68???????? }
            // n = 5, score = 300
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   68dd020000           | push                0x2dd
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_4 = { c785d4feffff62c2f218 c785d8feffffcbdb9298 c785dcfeffff85b369f5 c785e0feffffe981ae61 }
            // n = 4, score = 300
            //   c785d4feffff62c2f218     | mov    dword ptr [ebp - 0x12c], 0x18f2c262
            //   c785d8feffffcbdb9298     | mov    dword ptr [ebp - 0x128], 0x9892dbcb
            //   c785dcfeffff85b369f5     | mov    dword ptr [ebp - 0x124], 0xf569b385
            //   c785e0feffffe981ae61     | mov    dword ptr [ebp - 0x120], 0x61ae81e9

        $sequence_5 = { c78568ffffff556d0621 c7856cffffffb32e0cc8 c78570ffffff1af7f3b4 c78574ffffff9dd490d9 c78578ffffffb9d6b365 c7857cffffffd5b8ff4c }
            // n = 6, score = 300
            //   c78568ffffff556d0621     | mov    dword ptr [ebp - 0x98], 0x21066d55
            //   c7856cffffffb32e0cc8     | mov    dword ptr [ebp - 0x94], 0xc80c2eb3
            //   c78570ffffff1af7f3b4     | mov    dword ptr [ebp - 0x90], 0xb4f3f71a
            //   c78574ffffff9dd490d9     | mov    dword ptr [ebp - 0x8c], 0xd990d49d
            //   c78578ffffffb9d6b365     | mov    dword ptr [ebp - 0x88], 0x65b3d6b9
            //   c7857cffffffd5b8ff4c     | mov    dword ptr [ebp - 0x84], 0x4cffb8d5

        $sequence_6 = { c78504feffff51456b07 c78508feffff788f2ba1 c7850cfeffff02c729c1 c78510feffffe7d792f3 c78514feffff91323bf3 }
            // n = 5, score = 300
            //   c78504feffff51456b07     | mov    dword ptr [ebp - 0x1fc], 0x76b4551
            //   c78508feffff788f2ba1     | mov    dword ptr [ebp - 0x1f8], 0xa12b8f78
            //   c7850cfeffff02c729c1     | mov    dword ptr [ebp - 0x1f4], 0xc129c702
            //   c78510feffffe7d792f3     | mov    dword ptr [ebp - 0x1f0], 0xf392d7e7
            //   c78514feffff91323bf3     | mov    dword ptr [ebp - 0x1ec], 0xf33b3291

        $sequence_7 = { 83eb60 ff15???????? 6bf61a 03f7 6bf61a 03c3 }
            // n = 6, score = 300
            //   83eb60               | sub                 ebx, 0x60
            //   ff15????????         |                     
            //   6bf61a               | imul                esi, esi, 0x1a
            //   03f7                 | add                 esi, edi
            //   6bf61a               | imul                esi, esi, 0x1a
            //   03c3                 | add                 eax, ebx

        $sequence_8 = { f7fe 8bca e8???????? 85c0 7409 }
            // n = 5, score = 200
            //   f7fe                 | idiv                esi
            //   8bca                 | mov                 ecx, edx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb

        $sequence_9 = { 488d4c2450 4533c9 ba00000080 89742428 4489442420 ff15???????? 4883cbff }
            // n = 7, score = 100
            //   488d4c2450           | jbe                 0x71
            //   4533c9               | dec                 eax
            //   ba00000080           | mov                 ecx, ebx
            //   89742428             | inc                 esp
            //   4489442420           | mov                 ecx, ebx
            //   ff15????????         |                     
            //   4883cbff             | inc                 cx

        $sequence_10 = { 48397c2448 7419 488b4b08 41b918000000 4c8d442440 418d510e ff15???????? }
            // n = 7, score = 100
            //   48397c2448           | dec                 eax
            //   7419                 | mov                 edx, eax
            //   488b4b08             | dec                 eax
            //   41b918000000         | mov                 ebx, eax
            //   4c8d442440           | mov                 edi, eax
            //   418d510e             | cmp                 eax, 0x104
            //   ff15????????         |                     

        $sequence_11 = { 488bd0 488bd8 ff15???????? 8bf8 3d04010000 7665 488bcb }
            // n = 7, score = 100
            //   488bd0               | dec                 eax
            //   488bd8               | lea                 edx, [0x1238c]
            //   ff15????????         |                     
            //   8bf8                 | dec                 eax
            //   3d04010000           | cmp                 dword ptr [eax - 0x10], edx
            //   7665                 | je                  0x11
            //   488bcb               | dec                 eax

        $sequence_12 = { 488b0d???????? 448bcb 6641b89019 e8???????? 488bcf f7d8 1bdb }
            // n = 7, score = 100
            //   488b0d????????       |                     
            //   448bcb               | mov                 edx, dword ptr [eax]
            //   6641b89019           | dec                 eax
            //   e8????????           |                     
            //   488bcf               | test                edx, edx
            //   f7d8                 | je                  0x11
            //   1bdb                 | lock inc            dword ptr [edx]

        $sequence_13 = { 488d82fefbff7f 4885c0 7417 410fb7440d00 6685c0 740c 668901 }
            // n = 7, score = 100
            //   488d82fefbff7f       | dec                 eax
            //   4885c0               | lea                 eax, [edx + 0x7ffffbfe]
            //   7417                 | dec                 eax
            //   410fb7440d00         | test                eax, eax
            //   6685c0               | je                  0x19
            //   740c                 | inc                 ecx
            //   668901               | movzx               eax, word ptr [ebp + ecx]

        $sequence_14 = { 0fb6c8 420fb6842110ad0100 418b4b08 33d0 418b4304 3317 4803fd }
            // n = 7, score = 100
            //   0fb6c8               | test                ax, ax
            //   420fb6842110ad0100     | je    0x11
            //   418b4b08             | mov                 word ptr [ecx], ax
            //   33d0                 | movzx               ecx, al
            //   418b4304             | inc                 edx
            //   3317                 | movzx               eax, byte ptr [ecx + 0x1ad10]
            //   4803fd               | inc                 ecx

        $sequence_15 = { 488d158c230100 483950f0 740b 488b10 4885d2 7403 f0ff02 }
            // n = 7, score = 100
            //   488d158c230100       | mov                 ecx, dword ptr [ebx + 8]
            //   483950f0             | xor                 edx, eax
            //   740b                 | inc                 ecx
            //   488b10               | mov                 eax, dword ptr [ebx + 4]
            //   4885d2               | xor                 edx, dword ptr [edi]
            //   7403                 | dec                 eax
            //   f0ff02               | add                 edi, ebp

    condition:
        7 of them and filesize < 363520
}
[TLP:WHITE] win_blindingcan_w0   (20200901 | Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT)
rule win_blindingcan_w0 {
   meta:
       author = "CISA Code & Media Analysis"
       incident = "10135536"
       date = "2018-05-04"
       actor = "Lazarus Group"
       actor_type = "APT"
       category = "malware"
       family = "BLINDINGCAN"
       description = "Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT"
       hash = "1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954"
       hash = "7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799"
       hash = "96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a"
       hash = "f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3"
       source = "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"
       malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
       malpedia_version = "20200901"
       malpedia_sharing = "TLP:WHITE"
       malpedia_license = ""
   strings:
       $s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
       $s1 = { 50 4D 53 2A 2E 74 6D 70 }
       $s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 }
   condition:
       any of them
}
Download all Yara Rules