Late last week, Ariel Millahuel released community threat hunting rule to detect BLINDINGCAN Remote Access Trojan that is used by North Korean state-sponsored hackers: https://tdm.socprime.com/tdm/info/pi0B7x1SzQlU/FiBkEHQBSh4W_EKGcibk/?p=1
The rule is based on a malware analysis report recently published by CISA experts. Threat actor used BLINDINGCAN RAT in a cyberespionage campaign primarily targeted at the US defense and aerospace sectors. They sent fake job offers to the employees via email and social networks, and researchers managed to attribute this campaign to Hidden Cobra.
After infecting a system, adversaries collected key military and energy technologies using their new trojan with multiple functions. BLINDINGCAN RAT is capable of retrieving information about all installed disks, operating system version and Processor information, local IP and MAC addresses. It can create, start, and terminate a new process and its primary thread; search, read, write, move, and execute files; get and modify file or directory timestamps; change the current directory for a process or file; remove traces of malware and malicious activity.
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
EDR: Carbon Black, Elastic Endpoint
Tactics: Execution, Defense Evasion
Techniques: Signed Binary Proxy Execution (T1218)