Skip to content

S0520 BLINDINGCAN

BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.12

Item Value
ID S0520
Associated Names
Type MALWARE
Version 1.0
Created 27 October 2020
Last Modified 17 March 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols BLINDINGCAN has used HTTPS over port 443 for command and control.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell BLINDINGCAN has executed commands via cmd.exe.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding BLINDINGCAN has encoded its C2 traffic with Base64.1
enterprise T1005 Data from Local System BLINDINGCAN has uploaded files from victim machines.1
enterprise T1140 Deobfuscate/Decode Files or Information BLINDINGCAN has used AES and XOR to decrypt its DLLs.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography BLINDINGCAN has encrypted its C2 traffic with RC4.1
enterprise T1041 Exfiltration Over C2 Channel BLINDINGCAN has sent user and system information to a C2 server via HTTP POST requests.21
enterprise T1083 File and Directory Discovery BLINDINGCAN can search, read, write, move, and execute files.12
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion BLINDINGCAN has deleted itself and associated artifacts from victim machines.1
enterprise T1070.006 Timestomp BLINDINGCAN has modified file and directory timestamps.12
enterprise T1105 Ingress Tool Transfer BLINDINGCAN has downloaded files to a victim machine.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location BLINDINGCAN has attempted to hide its payload by using legitimate file names such as “iconcache.db”.1
enterprise T1027 Obfuscated Files or Information BLINDINGCAN has obfuscated code using Base64 encoding.1
enterprise T1027.002 Software Packing BLINDINGCAN has been packed with the UPX packer.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment BLINDINGCAN has been delivered by phishing emails containing malicious Microsoft Office documents.1
enterprise T1129 Shared Modules BLINDINGCAN has loaded and executed DLLs in memory during runtime on a victim machine.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing BLINDINGCAN has been signed with code-signing certificates such as CodeRipper.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 BLINDINGCAN has used Rundll32 to load a malicious DLL.1
enterprise T1082 System Information Discovery BLINDINGCAN has collected from a victim machine the system name, processor information, OS version, and disk information, including type and free space available.1
enterprise T1016 System Network Configuration Discovery BLINDINGCAN has collected the victim machine’s local IP address information and MAC address.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File BLINDINGCAN has lured victims into executing malicious macros embedded within Microsoft Office documents.1

Groups That Use This Software

ID Name References
G0032 Lazarus Group 1

References

  1. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. 

  2. NHS Digital . (2020, August 20). BLINDINGCAN Remote Access Trojan. Retrieved August 20, 2020.