Well it’s that time again, which happens to be constant and we have more malware fun coming in from North Korea.

Digital Immunity Threat Researchers have reviewed BLINDINGCAN and have assessed how BLINDINGCAN would get into an environment and be executed. Digital Immunity DI PROTECT™ will detect and prevent, in memory, at run-time, the execution of the untrusted code known as BLINDINGCAN as well as detect and prevent the execution of untrusted foreign code which enabled hackers’ access to the environment to launch BLINDINGCAN.

The article below explains the details of the BLINDINGCAN, how it gets in your environment and what you can do to protect your critical systems.

BLINDINGCAN Remote Access Trojan (RAT)

The BLINDINGCAN Remote Access Trojan leverages a .docx file which attempts to connect to external domains for a download. Then a 32-bit and a 64-bit DLL is retrieved to be installed as a 32-bit and a 64-bit DLL named “iconcache.db” respectively. The DLL “iconcache.db” unpacks and executes a variant of the Hidden Cobra RAT. The Remote Access Trojan contains built-in functions for remote operations that provide various capabilities on a victim’s system allowing for better persistence and further exploitation within an already compromised system and network.

Who and What Is at Risk?

Though this remote access trojan could be used against anyone, the threat is currently focused on military contractors who have or are working with the military or energy companies and the attacks have been done through fake job boards leveraging a malicious word document. This remote access trojan is being used to keep persistence on the already exploited/controlled systems.

Where Digital Immunity Intercepts

Digital Immunity DI PROTECT™ intercepts at the point where untrusted code is executed to be loaded into memory. In this case, the remote access trojan has a dropper file which is packed with a UPX packer and that file in itself would be caught at execution time without disruption to the system or it’s good processes.

Digital Immunity DI PROTECT™ also would have prevented the unpacked executable file, which itself would be different untrusted code. The additional DLL files which are subsequently downloaded and injected into memory would not be allowed to be inserted into memory as they themselves are additionally untrusted code.

Long Term Goals

Digital Immunity DI PROTECT™ will detect and prevent, in memory, at run-time, the execution of foreign code such as BLINDINGCAN. Digital Immunity’s prevention capability will not disrupt good processes, ensuring that operations continue uninterrupted.  DI PROTECT™ also capture’s deep forensics, in context, at the point of attack.

In the long-term you should assess how a technology such as DI PROTECT™ could prevent cyber-threats like the Remote Access Trojan BLINDINGCAN. Having a technology such as DI PROTECT™ to prevent known and unknown threats in OT can provide priceless peace of mind. DI PROTECT™ also delivers the added benefits of reduced down time, reduced emergency patching and increased uptime and revenue.