BLINDINGCAN

BlindingCan, also known as AIRDRY or ZetaNile, is a multifaceted malware capable of extracting sensitive data from compromised hosts. The threat actor gained initial access to systems via spear-phishing attacks masquerading as recruiters for high-profile companies and deployed new malware dubbed "LightlessCan." This malicious software was used in several notable cyber-attacks, including the Amazon Dream Job campaign. BlindingCan can infect systems through suspicious downloads, emails, or websites and has the ability to disrupt operations, steal personal information, or even hold data hostage. The most significant payload used in these campaigns was LightlessCan, a successor to the Lazarus group's flagship HTTP(S) Remote Access Trojan (RAT) named BlindingCan. ESET analysts believe that LightlessCan is based on the BlindingCan source code, preserving the order of shared commands significantly, albeit with differences in their indexing. This characteristic is also found in other types of malware used by Lazarus. Compared to BlindingCan, Lazarus increased the code sophistication in LightlessCan, making it much more malicious than its predecessor. A simplified version of BlindingCan, named miniBlindingCan by ESET, is designed to collect system information such as computer name, Windows version, and configuration data. It also receives and executes commands from the command-and-control (C2) server. One of the most notable aspects of this RAT is that it mimics the functionalities of a wide range of native Windows commands, which makes detecting and analyzing the attacker's activities more challenging. This indicates that threat actors continually advance their attack tactics and tools, highlighting the growing sophistication and potential risks associated with these malwares.