author photo
By Clare O’Gara
Fri | Aug 21, 2020 | 6:30 AM PDT

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has just detected a new cyber threat from North Korea.

This is malware you'll want to watch out for.

New North Korea remote access trojan

This threat is called Blindingcan, and it's a remote access trojan (RAT).

According to the new CISA report, Blindingcan is a new malware strain used by malicious North Korean cyber actors. The FBI believes that variants like Blindingcan are being used alongside proxy servers, maintaining a presence on victim networks.

Here's what Blindingcan has accomplished so far:

"A threat group with a nexus to North Korea targeted government contractors early this year to gather intelligence surrounding key military and energy technologies. The malicious documents employed in this campaign used job postings from leading defense contractors as lures and installed a data gathering implant on a victim's system. This campaign utilized compromised infrastructure from multiple countries to host its command and control (C2) infrastructure and distribute implants to a victim's system."

CISA refers to any malicious cyber activity from the North Korea government as Hidden Cobra.

What are mitigation techniques for the new North Korea RAT?

It also has a list of recommended mitigations for handling Hidden Cobra threats:

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).