BLINDINGCAN Remote Access Trojan [HIDDEN COBRA]
The FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. This malware variant has been identified as BLINDINGCAN.
BLINDINGCAN is initially delivered via Microsoft Office attachments distributed in sophisticated spear-phishing campaigns.
A threat group with a nexus to North Korea targeted government contractors early this year to gather intelligence surrounding key military and energy technologies.
The malicious documents employed in this campaign used job postings from leading defense contractors as lures and installed a data gathering implant on a victim’s system. This campaign utilized compromised infrastructure from multiple countries to host its command and control (C2) infrastructure and distribute implants to a victim’s system.
Indicators of Compromise
IP addresses
- 192.99.20[.]39
- 199.79.63[.]24
- 51.68.152[.]96
- 54.241.91[.]49
Domains
- agarwalpropertyconsultants[.]com
- anca-aste[.]it
- automercado.co[.]cr
- curiofirenze[.]com
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.