Reply

Cyber Threat Advisory: HIDDEN COBRA: BLINDINGCAN RAT Variants

Adviser
Posts: 321
1584     0

Date: 21 August 2020

Author: Eric Patterson

TLP:WHITE

 

  1. Executive Summary

On 19 August, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report (MAR) on malware variants, dubbed BLINDINGCAN, used by the North Korean government.1 Malicious cyber activities associated with the North Korean government are commonly referred to as HIDDEN COBRA.

 

BLINDINGCAN refers to a series of Remote Access Trojan (RAT) variants currently in use by HIDDEN COBRA actors to maintain persistent access inside victim infrastructure. The current target set for this campaign includes government contractors who deal with key military and energy technologies. The threat actors made use of active job postings from contractors of interest as lures to deliver one of the malware variants to the victim. 

 

  1. Analysis: BLINDINGCAN RAT Variants

The MAR reported four documents being delivered via email with attached Microsoft Word Document (.docx) files purporting to reference open job postings for targeted companies. The DOCX files contain a series of Extensible Markup Language (XML) files in a directory structure that when opened and depending on the file received, attempt to contact one of two command and control (C2) domains: 

  • hxxps://agarwalpropertyconsultants[.]com/assets/form/template/img/boeing_ia_cm.jpg
  • hxxps://www[.]anca-aste.it/uploads/form/boeing_iacm_logo.jpg

Depending on the information gathered from the victim’s system, a 32- or 64-bit stage-one UPX- packed DLL payload will be downloaded to the victim: machine--d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9 or 0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6, respectively. 

Once installed, the follow-on execution chains appear identical for both the 32- and 64-bit variants. The stage-one payloads decode themselves using a hardcoded 0x59 XOR key, and install and execute the DLL in C:\ProgramData\iconcache.db. Stage-two payloads consist of a secondary 32- or 64-bit UPX-packed DLL run out of C:\ProgramData\iconcache.db. During execution, it decompresses two additional DLL files into memory: one is the HIDDEN COBRA RAT variant, and the other is designed to unmap the DLL from memory. 

Both of the HIDDEN COBRA RAT variants decrypt themselves using a different hard-coded AES key before attempting to collect the following system information:

  • Operating system (OS) version information,
  • Processor information,
  • System name,
  • Local IP address information,
  • Media access control (MAC) address, and
  • User-agent string (UAS).

This information will be transmitted to one of two C2 domains: curiofirenze[.]com or automercado[.]co[.]cr. The malware will then craft a series of HTTP POST requests to its C2 using four distinct Base64-encoded parameters that relate to built-in functions capable of being executed on the victim machine. The functions of the malware include: 

  • Retrieve information about all installed disks, including the disk type and the amount of free space on the disk;
  • Create, start, and terminate a new process and its primary thread;
  • Search, read, write, move, and execute files;
  • Get and modify file or directory timestamps;
  • Change the current directory for a process or file; and
  • Delete malware and artifacts associated with the malware from the infected system.
  1. Prevention and Mitigation

The Cybersecurity and Infrastructure Security Agency (CISA) recommends the following mitigation techniques to defend against BLINDINGCAN. CISA also recommends that any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
  1. Indicators of Compromise

Indicator

Description

 

158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17

Malicious .docx file

 

6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1

Malicious .docx file

 

7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971

Malicious .docx file

 

586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e

Malicious .docx file

 

d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9

32-bit stage one DLL

 

b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9

32-bit stage two DLL

 

bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1

32-bit binary RAT

 

7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd

32-bit DLL unmapper

 

0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6

64-bit stage one DLL

 

d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5

64-bit stage two DLL

 

58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d

64-bit binary RAT

 

8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050

64-bit DLL unmapper

 

hxxps://agarwalpropertyconsultants[.]com/assets/form/template/img/boeing_ia_cm[.]jpg

hxxps://www[.]anca-aste[.]it/uploads/form/boeing_iacm_logo[.]jpg

hxxps://www[.]anca-aste[.]it/uploads/form/boeing_jd_t034519[.]jpg

hxxps://www[.]anca-aste[.]it/uploads/form/boeing_spectrolab_logo[.]jpg

hxxps://www[.]automercado[.]co[.]cr/empleo/css/main[.]jsp

hxxps://www[.]curiofirenze[.]com/include/inc-site[.]asp

BLINDINGCAN C2

 
 
 

192[.]99[.]20[.]39

199[.]79[.]63[.]24

51[.]68[.]152[.]96

54[.]241[.]91[.]49

BLINDINGCAN C2

 
 
 
 

 

Endnotes

  1. https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a
Showing results for 
Search instead for 
Did you mean: 

Recommended for You