SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blindingcan (Back to overview)

BLINDINGCAN

aka: DRATzarus RAT

Actor(s): Lazarus Group


According to SentinelOne, this RAT can gather and transmit a defined set of system features, create/terminate/manipulate processes and files, and has self-updating and deletion capability.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-12-15HvS-Consulting AGHvS-Consulting AG
@techreport{ag:20201215:greetings:a5b59d9, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, institution = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf}, language = {English}, urldate = {2020-12-16} } Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz
2020-12-15HvS-Consulting AGHvS-Consulting AG
@online{ag:20201215:greetings:452ef44, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus: Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, organization = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/lazarus-report/}, language = {English}, urldate = {2021-01-21} } Greetings from Lazarus: Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz Lazarus Group
2020-09-29JPCERT/CCShusei Tomonaga
@online{tomonaga:20200929:blindingcan:a85ca22, author = {Shusei Tomonaga}, title = {{BLINDINGCAN - Malware Used by Lazarus}}, date = {2020-09-29}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html}, language = {English}, urldate = {2020-10-02} } BLINDINGCAN - Malware Used by Lazarus
BLINDINGCAN Lazarus Group
2020-08-31SentinelOneJim Walter
@online{walter:20200831:blindingcan:cdb0ffc, author = {Jim Walter}, title = {{The BLINDINGCAN RAT and Malicious North Korean Activity}}, date = {2020-08-31}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/}, language = {English}, urldate = {2020-09-01} } The BLINDINGCAN RAT and Malicious North Korean Activity
BLINDINGCAN
2020-08-19US-CERTUS-CERT
@online{uscert:20200819:malware:63a2025, author = {US-CERT}, title = {{Malware Analysis Report (AR20-232A)}}, date = {2020-08-19}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a}, language = {English}, urldate = {2020-09-01} } Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
Yara Rules
[TLP:WHITE] win_blindingcan_auto (20210616 | Detects win.blindingcan.)
rule win_blindingcan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.blindingcan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c785b4feffff607960b9 c785b8feffff2109b8da c785bcfeffff91fd949b c785c0feffff10d43c68 }
            // n = 4, score = 300
            //   c785b4feffff607960b9     | mov    dword ptr [ebp - 0x14c], 0xb9607960
            //   c785b8feffff2109b8da     | mov    dword ptr [ebp - 0x148], 0xdab80921
            //   c785bcfeffff91fd949b     | mov    dword ptr [ebp - 0x144], 0x9b94fd91
            //   c785c0feffff10d43c68     | mov    dword ptr [ebp - 0x140], 0x683cd410

        $sequence_1 = { c7854cffffff7c1e00d1 c78550ffffffcc3e05db c78554ffffffadda5315 c78558ffffffc1f11e5e }
            // n = 4, score = 300
            //   c7854cffffff7c1e00d1     | mov    dword ptr [ebp - 0xb4], 0xd1001e7c
            //   c78550ffffffcc3e05db     | mov    dword ptr [ebp - 0xb0], 0xdb053ecc
            //   c78554ffffffadda5315     | mov    dword ptr [ebp - 0xac], 0x1553daad
            //   c78558ffffffc1f11e5e     | mov    dword ptr [ebp - 0xa8], 0x5e1ef1c1

        $sequence_2 = { c78550fefffff76c7e7e c78554feffffa14b0c27 c78558feffff10c0aac6 c7855cfeffff489a8471 }
            // n = 4, score = 300
            //   c78550fefffff76c7e7e     | mov    dword ptr [ebp - 0x1b0], 0x7e7e6cf7
            //   c78554feffffa14b0c27     | mov    dword ptr [ebp - 0x1ac], 0x270c4ba1
            //   c78558feffff10c0aac6     | mov    dword ptr [ebp - 0x1a8], 0xc6aac010
            //   c7855cfeffff489a8471     | mov    dword ptr [ebp - 0x1a4], 0x71849a48

        $sequence_3 = { c745a4a603ff93 c745a8ef9300aa c745ac84b1df57 c745b0c8cbfee9 c745b4567e337f c745b8e958e686 }
            // n = 6, score = 300
            //   c745a4a603ff93       | mov                 dword ptr [ebp - 0x5c], 0x93ff03a6
            //   c745a8ef9300aa       | mov                 dword ptr [ebp - 0x58], 0xaa0093ef
            //   c745ac84b1df57       | mov                 dword ptr [ebp - 0x54], 0x57dfb184
            //   c745b0c8cbfee9       | mov                 dword ptr [ebp - 0x50], 0xe9fecbc8
            //   c745b4567e337f       | mov                 dword ptr [ebp - 0x4c], 0x7f337e56
            //   c745b8e958e686       | mov                 dword ptr [ebp - 0x48], 0x86e658e9

        $sequence_4 = { c78504fdfffff79d6681 c78508fdffffbfa7f8a5 c7850cfdffffa0118db8 c78510fdffff4d3feb78 }
            // n = 4, score = 300
            //   c78504fdfffff79d6681     | mov    dword ptr [ebp - 0x2fc], 0x81669df7
            //   c78508fdffffbfa7f8a5     | mov    dword ptr [ebp - 0x2f8], 0xa5f8a7bf
            //   c7850cfdffffa0118db8     | mov    dword ptr [ebp - 0x2f4], 0xb88d11a0
            //   c78510fdffff4d3feb78     | mov    dword ptr [ebp - 0x2f0], 0x78eb3f4d

        $sequence_5 = { c78544fdffffd392697f c78548fdffff8c2f4379 c7854cfdffff4e2ab8de c78550fdffff6fd03dac c78554fdffff18fdecc4 c78558fdffff850d28e7 }
            // n = 6, score = 300
            //   c78544fdffffd392697f     | mov    dword ptr [ebp - 0x2bc], 0x7f6992d3
            //   c78548fdffff8c2f4379     | mov    dword ptr [ebp - 0x2b8], 0x79432f8c
            //   c7854cfdffff4e2ab8de     | mov    dword ptr [ebp - 0x2b4], 0xdeb82a4e
            //   c78550fdffff6fd03dac     | mov    dword ptr [ebp - 0x2b0], 0xac3dd06f
            //   c78554fdffff18fdecc4     | mov    dword ptr [ebp - 0x2ac], 0xc4ecfd18
            //   c78558fdffff850d28e7     | mov    dword ptr [ebp - 0x2a8], 0xe7280d85

        $sequence_6 = { c78558feffff10c0aac6 c7855cfeffff489a8471 c78560feffff9cab4ad6 c78564feffff67cf2900 c78568feffff02dbaeb5 c7856cfeffffebe25848 }
            // n = 6, score = 300
            //   c78558feffff10c0aac6     | mov    dword ptr [ebp - 0x1a8], 0xc6aac010
            //   c7855cfeffff489a8471     | mov    dword ptr [ebp - 0x1a4], 0x71849a48
            //   c78560feffff9cab4ad6     | mov    dword ptr [ebp - 0x1a0], 0xd64aab9c
            //   c78564feffff67cf2900     | mov    dword ptr [ebp - 0x19c], 0x29cf67
            //   c78568feffff02dbaeb5     | mov    dword ptr [ebp - 0x198], 0xb5aedb02
            //   c7856cfeffffebe25848     | mov    dword ptr [ebp - 0x194], 0x4858e2eb

        $sequence_7 = { c745e8a9840ef6 c745ec0d06092a c745f0864886f7 c745f40d010101 c745f805000382 e8???????? }
            // n = 6, score = 300
            //   c745e8a9840ef6       | mov                 dword ptr [ebp - 0x18], 0xf60e84a9
            //   c745ec0d06092a       | mov                 dword ptr [ebp - 0x14], 0x2a09060d
            //   c745f0864886f7       | mov                 dword ptr [ebp - 0x10], 0xf7864886
            //   c745f40d010101       | mov                 dword ptr [ebp - 0xc], 0x101010d
            //   c745f805000382       | mov                 dword ptr [ebp - 8], 0x82030005
            //   e8????????           |                     

        $sequence_8 = { 99 f7fe 8bca e8???????? }
            // n = 4, score = 200
            //   99                   | cdq                 
            //   f7fe                 | idiv                esi
            //   8bca                 | mov                 ecx, edx
            //   e8????????           |                     

        $sequence_9 = { 8bca e8???????? 85c0 7409 e8???????? 85c0 }
            // n = 6, score = 200
            //   8bca                 | mov                 ecx, edx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_10 = { ff15???????? 4c8b6c2430 ba00040000 488d8db8010000 488d82fefbff7f 4885c0 7417 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   4c8b6c2430           | dec                 esp
            //   ba00040000           | mov                 ebp, dword ptr [esp + 0x30]
            //   488d8db8010000       | mov                 edx, 0x400
            //   488d82fefbff7f       | dec                 eax
            //   4885c0               | lea                 ecx, dword ptr [ebp + 0x1b8]
            //   7417                 | dec                 eax

        $sequence_11 = { c7858800000091323bf3 c7858c00000057d4f5dc c78590000000ca0f3f3b c78594000000879d0358 c78598000000a1e40f11 c7859c00000091d87472 c785a000000005d2ecb6 }
            // n = 7, score = 100
            //   c7858800000091323bf3     | dec    esp
            //   c7858c00000057d4f5dc     | lea    ecx, dword ptr [esp + 0x58]
            //   c78590000000ca0f3f3b     | dec    eax
            //   c78594000000879d0358     | lea    edx, dword ptr [esp + 0x60]
            //   c78598000000a1e40f11     | dec    ecx
            //   c7859c00000091d87472     | mov    ecx, dword ptr [edi + ecx]
            //   c785a000000005d2ecb6     | mov    ebx, 1

        $sequence_12 = { 4c89642460 488d4580 448821 4889442458 488d05bbf9ffff 4c8d0db0770000 4889442450 }
            // n = 7, score = 100
            //   4c89642460           | mov                 dword ptr [ebp + 0x88], 0xf33b3291
            //   488d4580             | mov                 dword ptr [ebp + 0x8c], 0xdcf5d457
            //   448821               | mov                 dword ptr [ebp + 0x90], 0x3b3f0fca
            //   4889442458           | mov                 dword ptr [ebp + 0x94], 0x58039d87
            //   488d05bbf9ffff       | mov                 dword ptr [ebp + 0x98], 0x110fe4a1
            //   4c8d0db0770000       | mov                 dword ptr [ebp + 0x9c], 0x7274d891
            //   4889442450           | mov                 dword ptr [ebp + 0xa0], 0xb6ecd205

        $sequence_13 = { 488b4c2450 488364242000 488d0525860100 488b0cc8 4c8d4c2458 488d542460 498b0c0f }
            // n = 7, score = 100
            //   488b4c2450           | lea                 eax, dword ptr [edx + 0x7ffffbfe]
            //   488364242000         | dec                 eax
            //   488d0525860100       | test                eax, eax
            //   488b0cc8             | je                  0x19
            //   4c8d4c2458           | dec                 eax
            //   488d542460           | mov                 ecx, dword ptr [esp + 0x50]
            //   498b0c0f             | dec                 eax

        $sequence_14 = { ff15???????? bb01000000 6689442452 448d4305 8d4b01 0f28442450 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   bb01000000           | and                 dword ptr [esp + 0x20], 0
            //   6689442452           | dec                 eax
            //   448d4305             | lea                 eax, dword ptr [0x18625]
            //   8d4b01               | dec                 eax
            //   0f28442450           | mov                 ecx, dword ptr [eax + ecx*8]

        $sequence_15 = { ba01000000 4889442420 ff15???????? 85c0 0f84e2000000 217548 }
            // n = 6, score = 100
            //   ba01000000           | mov                 word ptr [esp + 0x52], ax
            //   4889442420           | inc                 esp
            //   ff15????????         |                     
            //   85c0                 | lea                 eax, dword ptr [ebx + 5]
            //   0f84e2000000         | lea                 ecx, dword ptr [ebx + 1]
            //   217548               | movaps              xmm0, xmmword ptr [esp + 0x50]

    condition:
        7 of them and filesize < 363520
}
[TLP:WHITE] win_blindingcan_w0   (20200901 | Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT)
rule win_blindingcan_w0 {
   meta:
       author = "CISA Code & Media Analysis"
       incident = "10135536"
       date = "2018-05-04"
       actor = "Lazarus Group"
       actor_type = "APT"
       category = "malware"
       family = "BLINDINGCAN"
       description = "Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT"
       hash = "1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954"
       hash = "7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799"
       hash = "96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a"
       hash = "f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3"
       source = "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"
       malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
       malpedia_version = "20200901"
       malpedia_sharing = "TLP:WHITE"
       malpedia_license = ""
   strings:
       $s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
       $s1 = { 50 4D 53 2A 2E 74 6D 70 }
       $s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 }
   condition:
       any of them
}
Download all Yara Rules