Skip to content

Hide Navigation Hide TOC

BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725)

BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)

Cluster A Galaxy A Cluster B Galaxy B Level
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware 1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware 1
BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 1
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware 1
BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware 1
BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 1
BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 1
BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware 1
BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 1
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware 1
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware 1
BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
BLINDINGCAN - S0520 (01dbc71d-0ee8-420d-abb4-3dfb6a4bf725) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2