TTCSIRT-342.08.24.20: TT-CSIRT ADVISORY – BLINDINGCAN Malware

On August 19, 2020, The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) publicly released a Malware Analysis Report (MAR) and associated samples labeled BLINDINGCAN. The information contained in the report is the result of analytic efforts between the Department of Homeland Security (DHS) and the FBI to provide technical details on the tools and infrastructure used by cyber actors of the North Korean (DPRK) government.

This malware variant has been identified as BLINDINGCAN. The U.S. government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit www.us-cert.gov/NorthKorea.

The FBI has high confidence that a threat group with a DPRK-nexus are using targeting government contractors to gather intelligence surrounding key military and energy technologies. DHS and the FBI are distributing this MAR to enable network defense and reduce exposure to DPRK malicious cyber activity.

This MAR includes malware descriptions related to BLINDINGCAN, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

Reporting forms can be found on CISA’s homepage at www.cisa.gov.

If you have any queries or comments with regards to this advisory, please feel free to contact TTCSIRT via contacts@ttcsirt.gov.tt