US Reveals New North Korean BLINDINGCAN RAT

Written by

The US government is warning of a new remote access trojan (RAT) being used by North Korea’s notorious Lazarus Group.

The latest Department of Homeland Security (DHS) malware analysis report (MAR) is the product of an investigation between DHS body the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.

Named as “BLINDINGCAN,” the RAT was used by Lazarus (aka Hidden Cobra) earlier this year to target government contractors for intelligence on “key military and energy technologies,” according to the report.

“The malicious documents employed in this campaign used job postings from leading defense contractors as lures and installed a data gathering implant on a victim's system. This campaign utilized compromised infrastructure from multiple countries to host its command and control (C2) infrastructure and distribute implants to a victim's system,” it added.

“CISA and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber-activity.”

The report urged any users or admins that spot activity associated with the RAT to report it to CISA or the FBI’s CyWatch immediately and prioritize mitigation.

Among recommended best practices for organizations listed by CISA were up-to-date AV and operating systems, strong password policies, user web monitoring, access control lists, disabling file and printer services, improved phishing awareness and more.

North Korean state-sponsored hackers have become increasingly belligerent, prompting a flurry of alerts from US government agencies.

An April advisory warned organizations to be on the lookout for crypto-jacking, extortion campaigns, cyber-enabled financial theft and money-laundering scams.

Meanwhile, a US army report from last month claimed that many of Pyonyang’s elite Cyber Warfare Guidance Unit operatives are actually working from outside the hermit state in countries such as Belarus, China, India, Russia and Malaysia.

What’s hot on Infosecurity Magazine?