BLINDINGCAN

Malware updated 4 months ago (2024-05-04T19:30:36.799Z)

Download STIX

Preview STIX

BlindingCan, also known as AIRDRY or ZetaNile, is a multifaceted malware capable of extracting sensitive data from compromised hosts. The threat actor gained initial access to systems via spear-phishing attacks masquerading as recruiters for high-profile companies and deployed new malware dubbed "LightlessCan." This malicious software was used in several notable cyber-attacks, including the Amazon Dream Job campaign. BlindingCan can infect systems through suspicious downloads, emails, or websites and has the ability to disrupt operations, steal personal information, or even hold data hostage. The most significant payload used in these campaigns was LightlessCan, a successor to the Lazarus group's flagship HTTP(S) Remote Access Trojan (RAT) named BlindingCan. ESET analysts believe that LightlessCan is based on the BlindingCan source code, preserving the order of shared commands significantly, albeit with differences in their indexing. This characteristic is also found in other types of malware used by Lazarus. Compared to BlindingCan, Lazarus increased the code sophistication in LightlessCan, making it much more malicious than its predecessor. A simplified version of BlindingCan, named miniBlindingCan by ESET, is designed to collect system information such as computer name, Windows version, and configuration data. It also receives and executes commands from the command-and-control (C2) server. One of the most notable aspects of this RAT is that it mimics the functionalities of a wide range of native Windows commands, which makes detecting and analyzing the attacker's activities more challenging. This indicates that threat actors continually advance their attack tactics and tools, highlighting the growing sophistication and potential risks associated with these malwares.

Description last updated: 2024-05-04T16:46:15.206Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Rat

Backdoor

Downloader

Trojan

Payload

Eset

Phishing

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Lightlesscan	Unspecified	4	LightlessCan is a new and advanced malware, discovered by ESET, that has been added to North Korea's Lazarus group's arsenal. The malware is a successor to the group's flagship HTTP(S) Lazarus Remote Access Trojan (RAT) named BlindingCan. LightlessCan represents a significant advancement in maliciou

Source Document References

Information about the BLINDINGCAN Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	6 months ago	New Malicious PyPI Packages used by Lazarus - JPCERT/CC Eyes
CERT-EU	a year ago	Security Breach: Hacker Poses as Meta Recruiter, Targets Aerospace Company
CERT-EU	a year ago	Cyber Security Week in Review: October 6, 2023
CERT-EU	a year ago	North Korea's Lazarus Group upgrades its main malware
DARKReading	a year ago	North Korea Poses as Meta to Deploy Complex Backdoor at Aerospace Org
CERT-EU	a year ago	LinkedIn Messaging used by APT to phish aerospace target and plant novel malware
Securityaffairs	a year ago	North Korean Lazarus targeted a Spanish aerospace company
BankInfoSecurity	a year ago	Hackers Impersonate Meta Recruiter to Target Aerospace Firm
CERT-EU	a year ago	Lazarus APT Exploiting LinkedIn to Target Spanish Aerospace Firm
CERT-EU	a year ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CERT-EU	a year ago	Lazarus hackers breach aerospace firm with new LightlessCan malware
CERT-EU	a year ago	Lazarus Group Impersonates Recruiter from Meta to Target Spanish Aerospace Firm
CERT-EU	a year ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CERT-EU	a year ago	IT threat evolution in Q2 2023 – GIXtools
CERT-EU	a year ago	IT threat evolution Q2 2023
CERT-EU	a year ago	Il malware Qbot continua la scalata in Italia, mentre una nuova versione di Guloader arriva nella Top 10 \| Il corriere della sicurezza
MITRE	2 years ago	MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN \| CISA
MITRE	2 years ago	BLINDINGCAN Remote Access Trojan - NHS Digital
Securelist	a year ago	Following the Lazarus group by tracking DeathNote campaign
CERT-EU	a year ago	FBI, GCHQ Unite To Foil Russian Malware Hacking Tool