Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

BLINDINGCAN

BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)
ID: S0520
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 27 Oct 2020
Last Modified: 17 Mar 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

BLINDINGCAN has used HTTPS over port 443 for command and control.(Citation: US-CERT BLINDINGCAN Aug 2020)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

BLINDINGCAN has executed commands via cmd.exe.(Citation: US-CERT BLINDINGCAN Aug 2020)

Enterprise T1132 .001 Data Encoding: Standard Encoding

BLINDINGCAN has encoded its C2 traffic with Base64.(Citation: US-CERT BLINDINGCAN Aug 2020)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

BLINDINGCAN has encrypted its C2 traffic with RC4.(Citation: US-CERT BLINDINGCAN Aug 2020)

Enterprise T1070 .004 Indicator Removal: File Deletion

BLINDINGCAN has deleted itself and associated artifacts from victim machines.(Citation: US-CERT BLINDINGCAN Aug 2020)

.006 Indicator Removal: Timestomp

BLINDINGCAN has modified file and directory timestamps.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

BLINDINGCAN has attempted to hide its payload by using legitimate file names such as "iconcache.db".(Citation: US-CERT BLINDINGCAN Aug 2020)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

BLINDINGCAN has been packed with the UPX packer.(Citation: US-CERT BLINDINGCAN Aug 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

BLINDINGCAN has been delivered by phishing emails containing malicious Microsoft Office documents.(Citation: US-CERT BLINDINGCAN Aug 2020)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

BLINDINGCAN has been signed with code-signing certificates such as CodeRipper.(Citation: US-CERT BLINDINGCAN Aug 2020)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

BLINDINGCAN has used Rundll32 to load a malicious DLL.(Citation: US-CERT BLINDINGCAN Aug 2020)

Enterprise T1204 .002 User Execution: Malicious File

BLINDINGCAN has lured victims into executing malicious macros embedded within Microsoft Office documents.(Citation: US-CERT BLINDINGCAN Aug 2020)

Groups That Use This Software

ID Name References
G0032 Lazarus Group

(Citation: US-CERT BLINDINGCAN Aug 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.