SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blindingcan (Back to overview)

BLINDINGCAN

aka: DRATzarus RAT

Actor(s): Lazarus Group


According to SentinelOne, this RAT can gather and transmit a defined set of system features, create/terminate/manipulate processes and files, and has self-updating and deletion capability.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-12-15HvS-Consulting AGHvS-Consulting AG
@techreport{ag:20201215:greetings:a5b59d9, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, institution = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf}, language = {English}, urldate = {2020-12-16} } Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz
2020-12-15HvS-Consulting AGHvS-Consulting AG
@online{ag:20201215:greetings:452ef44, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus: Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, organization = {HvS-Consulting AG}, url = {https://www.hvs-consulting.de/lazarus-report/}, language = {English}, urldate = {2021-01-21} } Greetings from Lazarus: Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz Lazarus Group
2020-09-29JPCERT/CCShusei Tomonaga
@online{tomonaga:20200929:blindingcan:a85ca22, author = {Shusei Tomonaga}, title = {{BLINDINGCAN - Malware Used by Lazarus}}, date = {2020-09-29}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html}, language = {English}, urldate = {2020-10-02} } BLINDINGCAN - Malware Used by Lazarus
BLINDINGCAN Lazarus Group
2020-08-31SentinelOneJim Walter
@online{walter:20200831:blindingcan:cdb0ffc, author = {Jim Walter}, title = {{The BLINDINGCAN RAT and Malicious North Korean Activity}}, date = {2020-08-31}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/}, language = {English}, urldate = {2020-09-01} } The BLINDINGCAN RAT and Malicious North Korean Activity
BLINDINGCAN
2020-08-19US-CERTUS-CERT
@online{uscert:20200819:malware:63a2025, author = {US-CERT}, title = {{Malware Analysis Report (AR20-232A)}}, date = {2020-08-19}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a}, language = {English}, urldate = {2020-09-01} } Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
Yara Rules
[TLP:WHITE] win_blindingcan_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_blindingcan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c7458cb6293481 c745902cab593c c74594a5337503 c745983e2c2bef c7459c506c3615 }
            // n = 5, score = 300
            //   c7458cb6293481       | mov                 dword ptr [ebp - 0x48], 0xa65a84ae
            //   c745902cab593c       | mov                 dword ptr [ebp - 0x44], 0x81099d85
            //   c74594a5337503       | mov                 dword ptr [ebp - 0x40], 0xa59da7dc
            //   c745983e2c2bef       | mov                 dword ptr [ebp - 0x3c], 0xdd9278b5
            //   c7459c506c3615       | mov                 dword ptr [ebp - 0x38], 0x1df45e4c

        $sequence_1 = { c785d8fcffffd30dedae c785dcfcffff955ef1b3 c785e0fcfffff682fbb9 c785e4fcffff47fc3c28 c785e8fcffffccc9d015 }
            // n = 5, score = 300
            //   c785d8fcffffd30dedae     | idiv    ebx
            //   c785dcfcffff955ef1b3     | mov    byte ptr [ebp + ecx - 0x104], cl
            //   c785e0fcfffff682fbb9     | inc    ecx
            //   c785e4fcffff47fc3c28     | mov    dword ptr [ebp - 0x50], 0xdfba5f8c
            //   c785e8fcffffccc9d015     | mov    dword ptr [ebp - 0x4c], 0xb20033e1

        $sequence_2 = { 83f810 7d10 68???????? 57 ff15???????? 85c0 }
            // n = 6, score = 300
            //   83f810               | mov                 dword ptr [ebp - 0x50], 0xe9fecbc8
            //   7d10                 | mov                 dword ptr [ebp - 0x4c], 0x7f337e56
            //   68????????           |                     
            //   57                   | mov                 dword ptr [ebp - 0x20c], 0x9675e7f
            //   ff15????????         |                     
            //   85c0                 | mov                 dword ptr [ebp - 0x208], 0x2fdf8a28

        $sequence_3 = { c785f4fdffff7f5e6709 c785f8fdffff288adf2f c785fcfdffff5d1156b7 c78500feffff88551230 c78504feffff51456b07 c78508feffff788f2ba1 c7850cfeffff02c729c1 }
            // n = 7, score = 300
            //   c785f4fdffff7f5e6709     | inc    ecx
            //   c785f8fdffff288adf2f     | xor    edx, dword ptr [ebx]
            //   c785fcfdffff5d1156b7     | dec    ecx
            //   c78500feffff88551230     | add    ebx, 0x20
            //   c78504feffff51456b07     | xor    eax, edx
            //   c78508feffff788f2ba1     | mov    eax, ecx
            //   c7850cfeffff02c729c1     | cdq    

        $sequence_4 = { 4e e9???????? 6aff ff15???????? 57 }
            // n = 5, score = 300
            //   4e                   | mov                 dword ptr [ebp - 0x5c], 0x93ff03a6
            //   e9????????           |                     
            //   6aff                 | mov                 dword ptr [ebp - 0x58], 0xaa0093ef
            //   ff15????????         |                     
            //   57                   | mov                 dword ptr [ebp - 0x54], 0x57dfb184

        $sequence_5 = { 8bc1 99 f7fb 888c0dfcfeffff 41 }
            // n = 5, score = 300
            //   8bc1                 | movzx               ecx, al
            //   99                   | inc                 ecx
            //   f7fb                 | movzx               eax, cl
            //   888c0dfcfeffff       | sbb                 edi, edi
            //   41                   | neg                 edi

        $sequence_6 = { c745b08c5fbadf c745b4e13300b2 c745b8ae845aa6 c745bc859d0981 c745c0dca79da5 c745c4b57892dd c745c84c5ef41d }
            // n = 7, score = 300
            //   c745b08c5fbadf       | dec                 edi
            //   c745b4e13300b2       | mov                 edx, 0x104
            //   c745b8ae845aa6       | dec                 eax
            //   c745bc859d0981       | lea                 eax, [0x123bc]
            //   c745c0dca79da5       | dec                 esp
            //   c745c4b57892dd       | cmp                 edx, eax
            //   c745c84c5ef41d       | je                  0xa

        $sequence_7 = { c745a4a603ff93 c745a8ef9300aa c745ac84b1df57 c745b0c8cbfee9 c745b4567e337f }
            // n = 5, score = 300
            //   c745a4a603ff93       | inc                 ecx
            //   c745a8ef9300aa       | mov                 eax, dword ptr [ebx + 4]
            //   c745ac84b1df57       | xor                 edx, dword ptr [edi]
            //   c745b0c8cbfee9       | dec                 eax
            //   c745b4567e337f       | add                 edi, ebp

        $sequence_8 = { f7fe 8bca e8???????? 85c0 7409 e8???????? 85c0 }
            // n = 7, score = 200
            //   f7fe                 | idiv                esi
            //   8bca                 | mov                 ecx, edx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_9 = { 448b4008 488d500c 4c896c2420 ff15???????? 488b0d???????? }
            // n = 5, score = 100
            //   448b4008             | inc                 ebp
            //   488d500c             | xor                 eax, eax
            //   4c896c2420           | dec                 eax
            //   ff15????????         |                     
            //   488b0d????????       |                     

        $sequence_10 = { 4c8d4df0 488d15c2660100 488d8d00020000 4533c0 ff15???????? 488bcf ff15???????? }
            // n = 7, score = 100
            //   4c8d4df0             | inc                 ebp
            //   488d15c2660100       | xor                 eax, dword ptr [ebp + 0x4c]
            //   488d8d00020000       | inc                 ecx
            //   4533c0               | mov                 eax, eax
            //   ff15????????         |                     
            //   488bcf               | shr                 eax, 0x10
            //   ff15????????         |                     

        $sequence_11 = { 1bff f7df ffcf e9???????? ba04010000 }
            // n = 5, score = 100
            //   1bff                 | mov                 ebx, dword ptr [esp + edx*4 + 0x1c710]
            //   f7df                 | shr                 eax, 0x18
            //   ffcf                 | movzx               ecx, al
            //   e9????????           |                     
            //   ba04010000           | inc                 esp

        $sequence_12 = { 4533848410c70100 400fb6c6 4533848410cb0100 4533454c 418bc0 c1e810 }
            // n = 6, score = 100
            //   4533848410c70100     | inc                 ebp
            //   400fb6c6             | xor                 eax, dword ptr [esp + eax*4 + 0x1c710]
            //   4533848410cb0100     | inc                 eax
            //   4533454c             | movzx               eax, dh
            //   418bc0               | inc                 ebp
            //   c1e810               | xor                 eax, dword ptr [esp + eax*4 + 0x1cb10]

        $sequence_13 = { c1e808 0fb6d0 8bc3 458b9c9410c70100 c1e818 0fb6c8 }
            // n = 6, score = 100
            //   c1e808               | dec                 esp
            //   0fb6d0               | lea                 ecx, [ebp - 0x10]
            //   8bc3                 | dec                 eax
            //   458b9c9410c70100     | lea                 edx, [0x166c2]
            //   c1e818               | dec                 eax
            //   0fb6c8               | lea                 ecx, [ebp + 0x200]

        $sequence_14 = { 339c8d10bf0100 418bc3 c1e810 0fb6c8 410fb6c1 }
            // n = 5, score = 100
            //   339c8d10bf0100       | mov                 ecx, edi
            //   418bc3               | shr                 eax, 8
            //   c1e810               | movzx               edx, al
            //   0fb6c8               | mov                 eax, ebx
            //   410fb6c1             | inc                 ebp

        $sequence_15 = { 488d05bc230100 4c3bd0 7405 e8???????? }
            // n = 4, score = 100
            //   488d05bc230100       | mov                 eax, dword ptr [eax + 8]
            //   4c3bd0               | dec                 eax
            //   7405                 | lea                 edx, [eax + 0xc]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 363520
}
[TLP:WHITE] win_blindingcan_w0   (20200901 | Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT)
rule win_blindingcan_w0 {
   meta:
       author = "CISA Code & Media Analysis"
       incident = "10135536"
       date = "2018-05-04"
       actor = "Lazarus Group"
       actor_type = "APT"
       category = "malware"
       family = "BLINDINGCAN"
       description = "Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT"
       hash = "1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954"
       hash = "7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799"
       hash = "96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a"
       hash = "f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3"
       source = "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"
       malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
       malpedia_version = "20200901"
       malpedia_sharing = "TLP:WHITE"
       malpedia_license = ""
   strings:
       $s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
       $s1 = { 50 4D 53 2A 2E 74 6D 70 }
       $s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 }
   condition:
       any of them
}
Download all Yara Rules