BLINDINGCAN: A New Trojan Strain from North Korea

North Korean flag blowing in the wind

New malware from North Korea named BLINDINGCAN has been targeting defense and aerospace sectors, says a CISA report. Defense contractors of companies operating in these sectors are being sent fake job postings to hack into company networks.


The US Cybersecurity and Infrastructure Security Agency (CISA) has named a new North Korean malware strain, BLINDINGCAN. This malware has also been called DRATzarus in a report by ClearSky, a UK cyber security firm. The new strain was discovered by agents of the FBI and CISA who were jointly analyzing malware attacks. Their findings have been detailed in the Malware Analysis Report published by CISA.

BLINDINGCAN is a Remote Access Trojan (RAT), which are also called Backdoor Trojans. The report attributes this new Trojan strain to a North Korean government-sponsored hacking group called Hidden Cobra. This hacking group is also known as the Lazarus Group or APT38.

The report states the hackers used BLINDINGCAN to access victims’ systems via proxy servers so as to remain undetected longer. Consequently, they were able to exploit networks for a longer period of time. During this time they performed reconnaissance activities that involved gathering “intelligence surrounding key military and energy technologies.” In addition, the Trojan is capable of retrieving data, controlling processes, deploying files and installing itself without being detected.

The Attack Chain

Hidden Cobra has been targeting American government contractors in both US and overseas companies operating in the military defense and aerospace sectors. To lure potential victims, Hidden Cobra has been sending phishing emails that mimic job postings from large defense contracting firms. The emails contain fake job postings from individuals posing as recruiters. They are sent by the hackers to establish contact with contractors at target companies.

However, the emails contain malicious attachments that deploy the Trojan on the victim’s machine as soon as the victim opens the files. The attached files are usually MS Word and PDF documents. CISA found that the MS Word documents contained macros that attempted to connect to external domains to download the Trojan and install it. Other phishing emails contained DLL files. The DLL files attempted to install another DLL file that unpacked and ran the BLINDINGCAN Trojan.

“This campaign utilized compromised infrastructure from multiple countries to host its command and control (C2) infrastructure and distribute implants to a victim’s system,” the CISA report explained. Once installed the Trojan was utilized for reconnaissance purposes.

CISA’s Recommendations

CISA’s report also provides recommendations for users and administrators so that companies can resist Hidden Cobra attacks. Hidden Cobra is one of the foremost hacking groups from North Korea and one of four worldwide major government backed threat actors. The others coming from China, Russia and Iran.

CISA recommends that administrators strengthen the security of systems and networks to counter these threats by keeping operating system patches up-to-date and running the latest versions of antivirus software. CISA also advices that administrators review configuration changes before implementing them to avoid errors that provide hackers with unintended access.

In addition, CISA recommends best practices that include strong password policies, user web monitoring, access control lists, disabling file and printer services and improving phishing awareness amongst employees. The CISA report also requests that users and administrators report activity they encounter associated with BLINDINGCAN to CISA or FBI-CyWatch.

Information technology expert
Grace is an information technology expert who joined the VPNoverview team in 2019, writing cybersecurity and internet privacy-based news articles. Due to her IT background in legal firms, these subjects have always been of great interest to her.