{"id":5520,"date":"2020-08-26T10:55:44","date_gmt":"2020-08-26T17:55:44","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=5520"},"modified":"2024-04-26T13:21:17","modified_gmt":"2024-04-26T20:21:17","slug":"cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/","title":{"rendered":"Cyber Threat Advisory: HIDDEN COBRA: BLINDINGCAN RAT Variants"},"content":{"rendered":"<h6>Date: 21 August 2020<br \/>\nAuthor: Eric Patterson<br \/>\nTLP:WHITE<\/h6>\n<h3><strong>Executive Summary<\/strong><\/h3>\n<p>On 19 August, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report (MAR) on malware variants, dubbed <em>BLINDINGCAN, <\/em>used by the North Korean government.<sup>1<\/sup> Malicious cyber activities associated with the North Korean government are commonly referred to as HIDDEN COBRA.<\/p>\n<p>BLINDINGCAN refers to a series of Remote Access Trojan (RAT) variants currently in use by HIDDEN COBRA actors to maintain persistent access inside victim infrastructure. The current target set for this campaign includes government contractors who deal with key military and energy technologies. The threat actors made use of active job postings from contractors of interest as lures to deliver one of the malware variants to the victim.<\/p>\n<h3><strong>Analysis: BLINDINGCAN RAT Variants<\/strong><\/h3>\n<p>The MAR reported four documents being delivered via email with attached Microsoft Word Document (.docx) files purporting to reference open job postings for targeted companies. The DOCX files contain a series of Extensible Markup Language (XML) files in a directory structure that when opened and depending on the file received, attempt to contact one of two command and control (C2) domains:<\/p>\n<ul>\n<li>hxxps:\/\/agarwalpropertyconsultants[.]com\/assets\/form\/template\/img\/boeing_ia_cm.jpg<\/li>\n<li>hxxps:\/\/www[.]anca-aste.it\/uploads\/form\/boeing_iacm_logo.jpg<\/li>\n<\/ul>\n<p>Depending on the information gathered from the victim\u2019s system, a 32- or 64-bit stage-one UPX- packed DLL payload will be downloaded to the victim: machine&#8211;d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9 or 0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6, respectively.<\/p>\n<p>Once installed, the follow-on execution chains appear identical for both the 32- and 64-bit variants. The stage-one payloads decode themselves using a hardcoded 0x59 XOR key, and install and execute the DLL in <em>C:\\ProgramData\\iconcache.db<\/em>. Stage-two payloads consist of a secondary 32- or 64-bit UPX-packed DLL run out of <em>C:\\ProgramData\\iconcache.db.<\/em> During execution, it decompresses two additional DLL files into memory: one is the HIDDEN COBRA RAT variant, and the other is designed to unmap the DLL from memory.<\/p>\n<p>Both of the HIDDEN COBRA RAT variants decrypt themselves using a different hard-coded AES key before attempting to collect the following system information:<\/p>\n<ul>\n<li>Operating system (OS) version information,<\/li>\n<li>Processor information,<\/li>\n<li>System name,<\/li>\n<li>Local IP address information,<\/li>\n<li>Media access control (MAC) address, and<\/li>\n<li>User-agent string (UAS).<\/li>\n<\/ul>\n<p>This information will be transmitted to one of two C2 domains: curiofirenze[.]com or automercado[.]co[.]cr. The malware will then craft a series of HTTP POST requests to its C2 using four distinct Base64-encoded parameters that relate to built-in functions capable of being executed on the victim machine. The functions of the malware include:<\/p>\n<ul>\n<li>Retrieve information about all installed disks, including the disk type and the amount of free space on the disk;<\/li>\n<li>Create, start, and terminate a new process and its primary thread;<\/li>\n<li>Search, read, write, move, and execute files;<\/li>\n<li>Get and modify file or directory timestamps;<\/li>\n<li>Change the current directory for a process or file; and<\/li>\n<li>Delete malware and artifacts associated with the malware from the infected system.<\/li>\n<\/ul>\n<h3><strong>Prevention and Mitigation<\/strong><\/h3>\n<p>The Cybersecurity and Infrastructure Security Agency (CISA) recommends the following mitigation techniques to defend against BLINDINGCAN. CISA also recommends that any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.<\/p>\n<ul>\n<li>Maintain up-to-date antivirus signatures and engines.<\/li>\n<li>Keep operating system patches up-to-date.<\/li>\n<li>Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.<\/li>\n<li>Restrict users&#8217; ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.<\/li>\n<li>Enforce a strong password policy and implement regular password changes.<\/li>\n<li>Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.<\/li>\n<li>Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.<\/li>\n<li>Disable unnecessary services on agency workstations and servers.<\/li>\n<li>Scan for and remove suspicious email attachments; ensure the scanned attachment is its &#8220;true file type&#8221; (i.e., the extension matches the file header).<\/li>\n<li>Monitor users&#8217; web browsing habits; restrict access to sites with unfavorable content.<\/li>\n<li>Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).<\/li>\n<li>Scan all software downloaded from the Internet prior to executing.<\/li>\n<li>Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).<\/li>\n<\/ul>\n<h3><strong>Indicators of Compromise<\/strong><\/h3>\n<table>\n<tbody>\n<tr>\n<td><strong>Indicator<\/strong><\/td>\n<td style=\"padding-right: 10px;\"><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17<\/td>\n<td style=\"padding-right: 10px;\">Malicious .docx file<\/td>\n<\/tr>\n<tr>\n<td>6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1<\/td>\n<td style=\"padding-right: 10px;\">Malicious .docx file<\/td>\n<\/tr>\n<tr>\n<td>7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971<\/td>\n<td style=\"padding-right: 10px;\">Malicious .docx file<\/td>\n<\/tr>\n<tr>\n<td>586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e<\/td>\n<td style=\"padding-right: 10px;\">Malicious .docx file<\/td>\n<\/tr>\n<tr>\n<td>d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9<\/td>\n<td style=\"padding-right: 10px;\">32-bit stage one DLL<\/td>\n<\/tr>\n<tr>\n<td>b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9<\/td>\n<td style=\"padding-right: 10px;\">32-bit stage two DLL<\/td>\n<\/tr>\n<tr>\n<td>bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1<\/td>\n<td style=\"padding-right: 10px;\">32-bit binary RAT<\/td>\n<\/tr>\n<tr>\n<td>7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd<\/td>\n<td style=\"padding-right: 10px;\">32-bit DLL unmapper<\/td>\n<\/tr>\n<tr>\n<td>0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6<\/td>\n<td style=\"padding-right: 10px;\">64-bit stage one DLL<\/td>\n<\/tr>\n<tr>\n<td>d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5<\/td>\n<td style=\"padding-right: 10px;\">64-bit stage two DLL<\/td>\n<\/tr>\n<tr>\n<td>58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d<\/td>\n<td style=\"padding-right: 10px;\">64-bit binary RAT<\/td>\n<\/tr>\n<tr>\n<td>8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050<\/td>\n<td style=\"padding-right: 10px;\">64-bit DLL unmapper<\/td>\n<\/tr>\n<tr>\n<td>hxxps:\/\/agarwalpropertyconsultants[.]com\/assets\/form\/template\/img\/boeing_ia_cm[.]jpg<\/p>\n<p>hxxps:\/\/www[.]anca-aste[.]it\/uploads\/form\/boeing_iacm_logo[.]jpg<\/p>\n<p>hxxps:\/\/www[.]anca-aste[.]it\/uploads\/form\/boeing_jd_t034519[.]jpg<\/p>\n<p>hxxps:\/\/www[.]anca-aste[.]it\/uploads\/form\/boeing_spectrolab_logo[.]jpg<\/p>\n<p>hxxps:\/\/www[.]automercado[.]co[.]cr\/empleo\/css\/main[.]jsp<\/p>\n<p>hxxps:\/\/www[.]curiofirenze[.]com\/include\/inc-site[.]asp<\/td>\n<td style=\"padding-right: 10px;\">BLINDINGCAN C2<\/td>\n<\/tr>\n<tr>\n<td>192[.]99[.]20[.]39<\/p>\n<p>199[.]79[.]63[.]24<\/p>\n<p>51[.]68[.]152[.]96<\/p>\n<p>54[.]241[.]91[.]49<\/td>\n<td style=\"padding-right: 10px;\">BLINDINGCAN C2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Endnote<br \/>\n1. <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/analysis-reports\/ar20-232a\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/us-cert.cisa.gov\/ncas\/analysis-reports\/ar20-232a<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Date: 21 August 2020 Author: Eric Patterson TLP:WHITE Executive Summary On 19 August, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report (MAR) on malware variants, dubbed BLINDINGCAN, used by the North Korean government.1 Malicious cyber activities associated with [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":4338,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[254],"tags":[189,368,367,312,260],"class_list":{"0":"post-5520","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threat-intelligence","8":"tag-cybersecurity","9":"tag-federal","10":"tag-government","11":"tag-hidden-cobra","12":"tag-trojan","13":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Cyber Threat Advisory: HIDDEN COBRA: BLINDINGCAN RAT Variants<\/title>\n<meta name=\"description\" content=\"On 19 August, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report (MAR) on malware variants, dubbed BLINDINGCAN, used by the North Korean government.1 Malicious cyber activities associated with the North Korean government are commonly referred to as HIDDEN COBRA.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cyber Threat Advisory: HIDDEN COBRA: BLINDINGCAN RAT Variants\" \/>\n<meta property=\"og:description\" content=\"On 19 August, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report (MAR) on malware variants, dubbed BLINDINGCAN, used by the North Korean government.1 Malicious cyber activities associated with the North Korean government are commonly referred to as HIDDEN COBRA.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2020-08-26T17:55:44+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:21:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/cybersecurity-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"613\" \/>\n\t<meta property=\"og:image:height\" content=\"343\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Cyber Threat Advisory: HIDDEN COBRA: BLINDINGCAN RAT Variants\",\"datePublished\":\"2020-08-26T17:55:44+00:00\",\"dateModified\":\"2024-04-26T20:21:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\\\/\"},\"wordCount\":1053,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/cybersecurity-featured-image.jpg\",\"keywords\":[\"Cybersecurity\",\"Federal\",\"Government\",\"hidden cobra\",\"Trojan\"],\"articleSection\":[\"Infoblox Threat Intel\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\\\/\",\"name\":\"Cyber Threat Advisory: HIDDEN COBRA: BLINDINGCAN RAT Variants\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/cybersecurity-featured-image.jpg\",\"datePublished\":\"2020-08-26T17:55:44+00:00\",\"dateModified\":\"2024-04-26T20:21:17+00:00\",\"description\":\"On 19 August, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report (MAR) on malware variants, dubbed BLINDINGCAN, used by the North Korean government.1 Malicious cyber activities associated with the North Korean government are commonly referred to as HIDDEN COBRA.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/cybersecurity-featured-image.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/cybersecurity-featured-image.jpg\",\"width\":613,\"height\":343},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Company\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/company\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Threat Advisory: HIDDEN COBRA: BLINDINGCAN RAT Variants\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Cyber Threat Advisory: HIDDEN COBRA: BLINDINGCAN RAT Variants","description":"On 19 August, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report (MAR) on malware variants, dubbed BLINDINGCAN, used by the North Korean government.1 Malicious cyber activities associated with the North Korean government are commonly referred to as HIDDEN COBRA.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/","og_locale":"en_US","og_type":"article","og_title":"Cyber Threat Advisory: HIDDEN COBRA: BLINDINGCAN RAT Variants","og_description":"On 19 August, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report (MAR) on malware variants, dubbed BLINDINGCAN, used by the North Korean government.1 Malicious cyber activities associated with the North Korean government are commonly referred to as HIDDEN COBRA.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/","og_site_name":"Infoblox Blog","article_published_time":"2020-08-26T17:55:44+00:00","article_modified_time":"2024-04-26T20:21:17+00:00","og_image":[{"width":613,"height":343,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/cybersecurity-featured-image.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Cyber Threat Advisory: HIDDEN COBRA: BLINDINGCAN RAT Variants","datePublished":"2020-08-26T17:55:44+00:00","dateModified":"2024-04-26T20:21:17+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/"},"wordCount":1053,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/cybersecurity-featured-image.jpg","keywords":["Cybersecurity","Federal","Government","hidden cobra","Trojan"],"articleSection":["Infoblox Threat Intel"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/","name":"Cyber Threat Advisory: HIDDEN COBRA: BLINDINGCAN RAT Variants","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/cybersecurity-featured-image.jpg","datePublished":"2020-08-26T17:55:44+00:00","dateModified":"2024-04-26T20:21:17+00:00","description":"On 19 August, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Malware Analysis Report (MAR) on malware variants, dubbed BLINDINGCAN, used by the North Korean government.1 Malicious cyber activities associated with the North Korean government are commonly referred to as HIDDEN COBRA.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/cybersecurity-featured-image.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/cybersecurity-featured-image.jpg","width":613,"height":343},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-hidden-cobra-blindingcan-rat-variants\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Company","item":"https:\/\/www.infoblox.com\/blog\/category\/company\/"},{"@type":"ListItem","position":3,"name":"Cyber Threat Advisory: HIDDEN COBRA: BLINDINGCAN RAT Variants"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5520","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=5520"}],"version-history":[{"count":6,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5520\/revisions"}],"predecessor-version":[{"id":5529,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5520\/revisions\/5529"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/4338"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=5520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=5520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=5520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}