MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN | CISA
Tags
| country: | North Korea |
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Domains - T1583.001 Domains - T1584.001 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Software - T1592.002 Vulnerabilities - T1588.006 Whois - T1596.002 Connection Proxy - T1090 |
Common Information
| Type | Value |
|---|---|
| UUID | 31e2700f-889c-453f-8589-1313b9738990 |
| Fingerprint | 8d9d9b8f6d7b158f |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Aug. 19, 2020, noon |
| Added to db | June 1, 2023, 11:04 a.m. |
| Last updated | Nov. 17, 2024, 5:57 p.m. |
| Headline | MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN |
| Title | MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN | CISA |
| Detected Hints/Tags/Attributes | 79/3/80 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.cisa.gov/news-events/analysis-reports/ar20-232a |
| Details | Redirection | https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-232a |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 145 | www.us-cert.gov |
|
| Details | Domain | 2 | agarwalpropertyconsultants.com |
|
| Details | Domain | 2 | anca-aste.it |
|
| Details | Domain | 3 | automercado.co.cr |
|
| Details | Domain | 3 | curiofirenze.com |
|
| Details | Domain | 52 | whois.arin.net |
|
| Details | Domain | 3 | www.anca-aste.it |
|
| Details | Domain | 12 | whois.ripe.net |
|
| Details | Domain | 12 | ovh.net |
|
| Details | Domain | 4 | www.curiofirenze.com |
|
| Details | Domain | 4 | www.automercado.co.cr |
|
| Details | Domain | 469 | www.cisa.gov |
|
| Details | Domain | 84 | malware.us-cert.gov |
|
| Details | Domain | 84 | ftp.malware.us-cert.gov |
|
| Details | 1 | abuse@ovh.net |
||
| Details | 84 | submit@malware.us-cert.gov |
||
| Details | File | 101 | iconcache.db |
|
| Details | File | 2 | 8d179113e963d81adbf8d39ceff456afac3dae16.docx |
|
| Details | File | 66 | settings.xml |
|
| Details | File | 2 | boeing_ia_cm.jpg |
|
| Details | File | 2 | e83cf8a6a4b24bd5d2b8ce4364d79fa8d4db6c6a.docx |
|
| Details | File | 2 | c70edfaf2c33647d531f7df76cd4e5bb4e79ea2e.docx |
|
| Details | File | 2 | 0ecc687d741c7b009c648ef0de0a5d47213f37ff.docx |
|
| Details | File | 2 | boeing_iacm_logo.jpg |
|
| Details | File | 2 | boeing_jd_t034519.jpg |
|
| Details | File | 2 | boeing_spectrolab_logo.jpg |
|
| Details | File | 3 | c:\programdata\iconcache.db |
|
| Details | File | 2 | inc-site.asp |
|
| Details | File | 3 | main.jsp |
|
| Details | md5 | 2 | f9e6c35dbb62101498ec755152a8a67b |
|
| Details | md5 | 2 | d742ba8cf5b24affdf77bc6869da0dc5 |
|
| Details | md5 | 2 | aefcd8e98a231bccbc9b2c6d578fc8f3 |
|
| Details | md5 | 2 | 3a6b48871abbf2a1ce4c89b08bc0b7d8 |
|
| Details | md5 | 2 | e7718609577c6e34221b03de7e959a8c |
|
| Details | md5 | 2 | 6c2d15114ebdd910a336b6b147512a74 |
|
| Details | sha1 | 2 | 8d179113e963d81adbf8d39ceff456afac3dae16 |
|
| Details | sha1 | 2 | e83cf8a6a4b24bd5d2b8ce4364d79fa8d4db6c6a |
|
| Details | sha1 | 2 | c70edfaf2c33647d531f7df76cd4e5bb4e79ea2e |
|
| Details | sha1 | 2 | 0ecc687d741c7b009c648ef0de0a5d47213f37ff |
|
| Details | sha256 | 2 | 0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6 |
|
| Details | sha256 | 2 | 158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17 |
|
| Details | sha256 | 2 | 586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e |
|
| Details | sha256 | 3 | 6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1 |
|
| Details | sha256 | 3 | 7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971 |
|
| Details | sha256 | 2 | d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9 |
|
| Details | sha256 | 2 | 58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d |
|
| Details | sha256 | 2 | 7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd |
|
| Details | sha256 | 2 | 8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050 |
|
| Details | sha256 | 2 | b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9 |
|
| Details | sha256 | 2 | bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1 |
|
| Details | sha256 | 2 | d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5 |
|
| Details | sha256 | 2 | 1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954 |
|
| Details | sha256 | 2 | 7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799 |
|
| Details | sha256 | 2 | 96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a |
|
| Details | sha256 | 2 | f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3 |
|
| Details | IPv4 | 2 | 192.99.20.39 |
|
| Details | IPv4 | 2 | 199.79.63.24 |
|
| Details | IPv4 | 2 | 51.68.152.96 |
|
| Details | IPv4 | 3 | 54.241.91.49 |
|
| Details | IPv4 | 1 | 199.79.62.0 |
|
| Details | IPv4 | 1 | 199.79.63.255 |
|
| Details | IPv4 | 1 | 51.68.152.0 |
|
| Details | IPv4 | 1 | 51.68.155.255 |
|
| Details | IPv4 | 1 | 51.68.0.0 |
|
| Details | IPv4 | 1 | 192.99.0.0 |
|
| Details | IPv4 | 1 | 192.99.255.255 |
|
| Details | IPv4 | 1 | 54.240.0.0 |
|
| Details | IPv4 | 1 | 54.255.255.255 |
|
| Details | Url | 42 | http://www.us-cert.gov/tlp. |
|
| Details | Url | 21 | https://www.us-cert.gov/hiddencobra. |
|
| Details | Url | 2 | https://agarwalpropertyconsultants.com/assets/form/template/img/boeing_ia_cm.jpg |
|
| Details | Url | 2 | https://www.anca-aste.it/uploads/form/boeing_iacm_logo.jpg |
|
| Details | Url | 2 | https://www.anca-aste.it/uploads/form/boeing_jd_t034519.jpg |
|
| Details | Url | 2 | https://www.anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg |
|
| Details | Url | 4 | https://www.curiofirenze.com/include/inc-site.asp |
|
| Details | Url | 4 | https://www.automercado.co.cr/empleo/css/main.jsp |
|
| Details | Url | 12 | https://www.cisa.gov/forms/feedback |
|
| Details | Url | 84 | https://malware.us-cert.gov |
|
| Details | Yara rule | 2 | rule CISA_10135536_06 : trojan rat HIDDENCOBRA BLINDINGCAN {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10135536"
Date = "2018-05-04"
Actor = "HiddenCobra"
Category = "Trojan RAT"
Family = "BLINDINGCAN"
Description = "Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT"
MD5_1 = "f9e6c35dbb62101498ec755152a8a67b"
SHA256_1 = "1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954"
MD5_2 = "d742ba8cf5b24affdf77bc6869da0dc5"
SHA256_2 = "7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799"
MD5_3 = "aefcd8e98a231bccbc9b2c6d578fc8f3"
SHA256_3 = "96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a"
MD5_4 = "3a6b48871abbf2a1ce4c89b08bc0b7d8"
SHA256_4 = "f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3"
strings:
$s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
$s1 = { 50 4D 53 2A 2E 74 6D 70 }
$s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 }
condition:
any of them
} |
|
| Details | Yara rule | 2 | rule CISA_10295134_01 : rat trojan HIDDENCOBRA BLINDINGCAN {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10295134"
Date = "2020-07-28"
Last_Modified = "20200730_1030"
Actor = "HiddenCobra"
Category = "Trojan RAT"
Family = "BLINDINGCAN"
Description = "Detects 32 and 64bit HiddenCobra BlindingCan Trojan RAT"
MD5_1 = "e7718609577c6e34221b03de7e959a8c"
SHA256_1 = "bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1"
MD5_2 = "6c2d15114ebdd910a336b6b147512a74"
SHA256_2 = "58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d"
strings:
$s0 = { C7 44 24 20 0D 06 09 2A C7 44 24 24 86 48 86 F7 C7 44 24 28 0D 01 01 01 C7 44 24 2C 05 00 03 82 }
$s1 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
condition:
$s0 or $s1
} |