BLINDINGCAN - Malware Used by Lazarus -
Contents
BLINDINGCAN - Malware Used by Lazarus -
In the previous article, we introduced one type of malware that Lazarus (also known as Hidden Cobra) uses after network intrusion. It is confirmed that this attack group uses multiple types of malware including BLINDINGCAN, which CISA recently introduced in its report [1].
This article summarises the result of our analysis on BLINDINGCAN.
BLINDINGCAN overview
The malware runs when a loader loads a DLL file. Figure 1 shows the flow of events until BLINDINGCAN runs. JPCERT/CC has confirmed that the DLL file is encoded in some samples (which requires decoding by the loader before execution).
BLINDINGCAN shares some features with the aforementioned malware including its function and communication encoding algorithm. The following sections will explain its configuration and communication protocol.
Configuration
The configuration of BLINDINGCAN(size: 0xA84) is stored in one of the following locations:
- Hardcoded in the malware itself
- Stored in a registry entry
- Saved as a file
In case it …
In the previous article, we introduced one type of malware that Lazarus (also known as Hidden Cobra) uses after network intrusion. It is confirmed that this attack group uses multiple types of malware including BLINDINGCAN, which CISA recently introduced in its report [1].
This article summarises the result of our analysis on BLINDINGCAN.
BLINDINGCAN overview
The malware runs when a loader loads a DLL file. Figure 1 shows the flow of events until BLINDINGCAN runs. JPCERT/CC has confirmed that the DLL file is encoded in some samples (which requires decoding by the loader before execution).
BLINDINGCAN shares some features with the aforementioned malware including its function and communication encoding algorithm. The following sections will explain its configuration and communication protocol.
Configuration
The configuration of BLINDINGCAN(size: 0xA84) is stored in one of the following locations:
- Hardcoded in the malware itself
- Stored in a registry entry
- Saved as a file
In case it …
IoC
58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d
8db272ea1100996a8a0ed0da304610964dc8ca576aa114391d1be9d4c5dab02e
https://www.automercado.co.cr/empleo/css/main.jsp
https://www.curiofirenze.com/include/inc-site.asp
https://www.ne-ba.org/files/news/thumbs/thumbs.asp
https://www.sanlorenzoyacht.com/newsl/include/inc-map.asp
8db272ea1100996a8a0ed0da304610964dc8ca576aa114391d1be9d4c5dab02e
https://www.automercado.co.cr/empleo/css/main.jsp
https://www.curiofirenze.com/include/inc-site.asp
https://www.ne-ba.org/files/news/thumbs/thumbs.asp
https://www.sanlorenzoyacht.com/newsl/include/inc-map.asp