Select Page

The United States Cybersecurity and Infrastructure Security Agency (CISA) has published a new report warning companies about a new in-the-wild malware that North Korean hackers are reportedly using to spy on key employees at government contracting companies.

Dubbed ‘BLINDINGCAN,’ the advanced remote access trojan acts as a backdoor when installed on compromised computers.

According to the FBI and CISA, North Korean state-sponsored hackers Lazarus Group, also known as Hidden Cobra, are spreading BLINDINGCAN to “gather intelligence surrounding key military and energy technologies.”

To achieve this, attackers first identify high-value targets, perform extensive research on their social and professional networks, and then pose as recruiters to send malicious documents loaded with the malware, masquerading as job advertisements and offerings.

However, such employment scams and social engineering strategies are not new and were recently spotted being used in another similar cyber espionage campaign by North Korean hackers against Israel’s defence sector.

“They built fake profiles on Linkedin, a social network that is used primarily for job searches in the high-tech sector,” the Israel Ministry of Foreign Affairs said.

“The attackers impersonated managers, CEOs and leading officials in HR departments, as well as representatives of international companies, and contacted employees of leading defence industries in Israel, with the aim of developing discussions and tempting them with various job opportunities.

“In the process of sending the job offers, the attackers attempted to compromise the computers of these employees, to infiltrate their networks and gather sensitive security information. The attackers also attempted to use the official websites of several companies in order to hack their systems.”

The CISA report says that attackers are remotely controlling BLINDINGCAN malware through compromised infrastructure from multiple countries, allowing them to:

  • Retrieve information about all installed disks, including the disk type and the amount of free space on the disk
  • Create, start, and terminate a new process and its primary thread
  • Search, read, write, move, and execute files
  • Get and modify file or directory timestamps
  • Change the current directory for a process or file
  • Delete malware and artefacts associated with the malware from the infected system.

images from Hacker News