The United States Cybersecurity and Infrastructure Security Agency (CISA) published a Malware Analysis Report today revealing cybercriminal activities of hackers backed by the North Korean government.
The report states that in conjunction with the Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS), identified a remote access trojan (RAT) deployed by the North Korean government-sponsored hacking group referred as Hidden Cobra by the US government and also infamously known as the Lazarus Group or APT38.
The malware variant ensued by the North Korean threat actors is called BLINDINGCAN and it was used in concurrence with proxy servers in order to maintain a presence in the victim’s system and elongate network exploitation with its built-in functions.
It is worth noting that just a couple of days ago, the FBI (Federal Bureau of Investigation) and the National Security Agency (NSA) had warned against Russian government-backed hackers using Drovorub malware against Linux systems.
However, the latest advisory revealed that threat actors in question basically lured victims thorough a recruitment campaign from leading defense corporations such as ‘the Boeing Company.’
Not only this, but the victims were asked to go through an extensive interview process which was more of a hoax until they received malicious documents riddled with the malware.
Basically, the latter was a pathway to perforate victims’ computer systems and gather intelligence pertaining to “key military and energy technologies.” In its Malware Analysis Report, CISA wrote that:
CISA received four Microsoft Word Open Extensible Markup Language (XML) documents (.docx), two Dynamic-Link Libraries (DLLs). The .docx files attempt to connect to external domains for a download. A 32-bit and a 64-bit DLL was submitted that install a 32-bit and a 64-bit DLL named “iconcache.db” respectively. The DLL “iconcache.db” unpacks and executes a variant of Hidden Cobra RAT. It contains built-in functions for remote operations that provide various capabilities on a victim’s system.
It is noteworthy, that BLINDINGCAN has varied technical capabilities. The RAT is able to extract information from all installed disks, access the operating system, and processor information.
Not only this, but the trojan can also get local IP address including media access control (MAC) address. But the most perilous capabilities include start or terminate new processes and modify files. It can also search, read, write, and execute files.
The North Korean threat actors are notorious, to say the least. Last month too, the security researchers at Sansec reported that the group might be involved in stealing card information from mainstream European and US-based e-commerce companies.
In May 2020, the infamous group slipped a malware in a macOS based 2FA app named MinaOTP. The purpose was to deploy a trojan that could provide hackers with remote access. The trojan could also execute commands, manage system’s files and processes, ensue traffic proxying and worm scanning.
Nevertheless, the determined group is known to use similar tactics and target firms and government entities to steal sensitive data. Pertaining to this case, CISA has given a few security recommendations for users and administrators alike to strengthen security measures as well as avoid unwanted impacts.