Late last week, Ariel Millahuel released community threat hunting rule to detect BLINDINGCAN Remote Access Trojan that is used by North Korean state-sponsored hackers:

The rule is based on a malware analysis report recently published by CISA experts. Threat actor used BLINDINGCAN RAT in a cyberespionage campaign primarily targeted at the US defense and aerospace sectors. They sent fake job offers to the employees via email and social networks, and researchers managed to attribute this campaign to Hidden Cobra.

After infecting a system, adversaries collected key military and energy technologies using their new trojan with multiple functions. BLINDINGCAN RAT is capable of retrieving information about all installed disks, operating system version and Processor information, local IP and MAC addresses. It can create, start, and terminate a new process and its primary thread; search, read, write, move, and execute files; get and modify file or directory timestamps; change the current directory for a process or file; remove traces of malware and malicious activity.

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint


Tactics: Execution, Defense Evasion

Techniques:  Signed Binary Proxy Execution (T1218)


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
Blog, Latest Threats — 2 min read
Eugene Tkachenko