SYMBOLCOMMON_NAMEaka. SYNONYMS
win.miniblindingcan (Back to overview)

miniBlindingCan

aka: AIRDRY.V2, EventHorizon

Actor(s): Lazarus Group

VTCollection    

miniBlindingCan is an HTTP(S) orchestrator.

It is a variant of the BlindingCan RAT, having the same command parsing logic, but supporting only a small subset of commands available previously. The main operations are the update of the malware configuration, and the download and execution of additional payloads from the attackers' C&C.

The miniBlindingCan malware was used in Operation DreamJob attacks against aerospace and media companies in Q2-Q3 2022.

References
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2023-09-29ESET ResearchPeter Kálnai
Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CLOUDBURST LightlessCan miniBlindingCan sRDI
2022-09-29MicrosoftLinkedIn Threat Prevention and Defense, Microsoft Security Threat Intelligence
ZINC weaponizing open-source software
BLINDINGCAN CLOUDBURST miniBlindingCan
2022-09-14MandiantJames Maclachlan, Mathew Potaczek, Matt Williams, Nino Isakovic, Yash Gupta
It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp
BLINDINGCAN miniBlindingCan sRDI
Yara Rules
[TLP:WHITE] win_miniblindingcan_auto (20230808 | Detects win.miniblindingcan.)
rule win_miniblindingcan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.miniblindingcan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniblindingcan"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 899424b0000000 81faff000000 7c37 b881808080 488bce f7e2 c1ea07 }
            // n = 7, score = 100
            //   899424b0000000       | dec                 ecx
            //   81faff000000         | dec                 edi
            //   7c37                 | movdqa              xmmword ptr [esp + 0x240], xmm6
            //   b881808080           | xor                 ebx, dword ptr [ebp + eax*4 + 0x21260]
            //   488bce               | inc                 ecx
            //   f7e2                 | mov                 eax, ecx
            //   c1ea07               | inc                 ecx

        $sequence_1 = { 8bc6 45338c8c600a0200 c1e808 c1eb08 41c1ea10 0fb6c8 410fb6c0 }
            // n = 7, score = 100
            //   8bc6                 | dec                 eax
            //   45338c8c600a0200     | lea                 ecx, [ebp + 0x54]
            //   c1e808               | xor                 edx, edx
            //   c1eb08               | inc                 ecx
            //   41c1ea10             | mov                 eax, 0x1f4
            //   0fb6c8               | xor                 edx, edx
            //   410fb6c0             | inc                 ecx

        $sequence_2 = { 48ffc1 49ffc8 75ed 488b542428 4c8d442420 488bce e8???????? }
            // n = 7, score = 100
            //   48ffc1               | inc                 ecx
            //   49ffc8               | mov                 eax, 1
            //   75ed                 | dec                 eax
            //   488b542428           | lea                 ebx, [0xe337]
            //   4c8d442420           | inc                 ecx
            //   488bce               | test                al, al
            //   e8????????           |                     

        $sequence_3 = { 660f6e7310 488d4c2438 f30fe6f6 ff15???????? 488d542430 488d4c2438 ff15???????? }
            // n = 7, score = 100
            //   660f6e7310           | add                 byte ptr [eax], al
            //   488d4c2438           | add                 byte ptr [eax - 0x77], cl
            //   f30fe6f6             | inc                 ebp
            //   ff15????????         |                     
            //   488d542430           | out                 dx, eax
            //   488d4c2438           | xor                 eax, eax
            //   ff15????????         |                     

        $sequence_4 = { 483b442420 0f8710040000 4883fd0f 0f82e7030000 488d7df1 c606f0 }
            // n = 6, score = 100
            //   483b442420           | mov                 ecx, dword ptr [esi + 0x4000]
            //   0f8710040000         | inc                 ecx
            //   4883fd0f             | add                 dword ptr [esi + 0x4018], ebx
            //   0f82e7030000         | dec                 ebp
            //   488d7df1             | mov                 ebx, eax
            //   c606f0               | test                ebx, ebx

        $sequence_5 = { 488d0579340000 488905???????? e9???????? 81fb39380000 7513 488d0553340000 488905???????? }
            // n = 7, score = 100
            //   488d0579340000       | dec                 eax
            //   488905????????       |                     
            //   e9????????           |                     
            //   81fb39380000         | lea                 eax, [0x412f]
            //   7513                 | cmp                 esi, 1
            //   488d0553340000       | cmp                 ebx, 0x23f0
            //   488905????????       |                     

        $sequence_6 = { 48ffc6 448bc1 f7e1 c1ea07 4c89442430 8bc2 }
            // n = 6, score = 100
            //   48ffc6               | sub                 ecx, 5
            //   448bc1               | je                  0x2f4
            //   f7e1                 | dec                 eax
            //   c1ea07               | mov                 ecx, edi
            //   4c89442430           | mov                 word ptr [eax], si
            //   8bc2                 | dec                 eax

        $sequence_7 = { 488bc8 ff15???????? 488d1528a70000 488bce 488905???????? ff15???????? 488bc8 }
            // n = 7, score = 100
            //   488bc8               | lea                 eax, [0x21c1]
            //   ff15????????         |                     
            //   488d1528a70000       | jne                 0x1eb2
            //   488bce               | inc                 ecx
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488bc8               | cmp                 ebx, esi

        $sequence_8 = { 488b4590 83a0c8000000fd 83c8ff e9???????? 4183cfff f6431840 4c8d0dc50dffff }
            // n = 7, score = 100
            //   488b4590             | lea                 eax, [0x5aa6]
            //   83a0c8000000fd       | cmp                 ebx, 0x3839
            //   83c8ff               | jne                 0x1446
            //   e9????????           |                     
            //   4183cfff             | jne                 0x1448
            //   f6431840             | dec                 eax
            //   4c8d0dc50dffff       | lea                 eax, [0x2da7]

        $sequence_9 = { 740a b801000000 e9???????? 4533c9 }
            // n = 4, score = 100
            //   740a                 | lea                 edx, [0x26e84]
            //   b801000000           | inc                 esp
            //   e9????????           |                     
            //   4533c9               | mov                 eax, ebx

    condition:
        7 of them and filesize < 453632
}
Download all Yara Rules