BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.[1][2]

ID: S0520
Platforms: Windows
Contributors: Daniyal Naeem, BT Security
Version: 1.0
Created: 27 October 2020
Last Modified: 17 March 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

BLINDINGCAN has used HTTPS over port 443 for command and control.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

BLINDINGCAN has executed commands via cmd.exe.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

BLINDINGCAN has encoded its C2 traffic with Base64.[1]

Enterprise T1005 Data from Local System

BLINDINGCAN has uploaded files from victim machines.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

BLINDINGCAN has used AES and XOR to decrypt its DLLs.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

BLINDINGCAN has encrypted its C2 traffic with RC4.[1]

Enterprise T1041 Exfiltration Over C2 Channel

BLINDINGCAN has sent user and system information to a C2 server via HTTP POST requests.[2][1]

Enterprise T1083 File and Directory Discovery

BLINDINGCAN can search, read, write, move, and execute files.[1][2]

Enterprise T1070 .004 Indicator Removal: File Deletion

BLINDINGCAN has deleted itself and associated artifacts from victim machines.[1]

.006 Indicator Removal: Timestomp

BLINDINGCAN has modified file and directory timestamps.[1][2]

Enterprise T1105 Ingress Tool Transfer

BLINDINGCAN has downloaded files to a victim machine.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

BLINDINGCAN has attempted to hide its payload by using legitimate file names such as "iconcache.db".[1]

Enterprise T1027 Obfuscated Files or Information

BLINDINGCAN has obfuscated code using Base64 encoding.[1]

.002 Software Packing

BLINDINGCAN has been packed with the UPX packer.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

BLINDINGCAN has been delivered by phishing emails containing malicious Microsoft Office documents.[1]

Enterprise T1129 Shared Modules

BLINDINGCAN has loaded and executed DLLs in memory during runtime on a victim machine.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

BLINDINGCAN has been signed with code-signing certificates such as CodeRipper.[1]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

BLINDINGCAN has used Rundll32 to load a malicious DLL.[1]

Enterprise T1082 System Information Discovery

BLINDINGCAN has collected from a victim machine the system name, processor information, OS version, and disk information, including type and free space available.[1]

Enterprise T1016 System Network Configuration Discovery

BLINDINGCAN has collected the victim machine's local IP address information and MAC address.[1]

Enterprise T1204 .002 User Execution: Malicious File

BLINDINGCAN has lured victims into executing malicious macros embedded within Microsoft Office documents.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group