Malware
BLINDINGCAN
aka AIRDRY · ZetaNile
BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S).
BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S). It uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic. It sends information about the victim's environment, like computer name, IP, Windows product name and processor name. It supports around 30 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers' C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped. It uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc. It contains specific RTTI symbols like ".?AVCHTTP_Protocol@@", ".?AVCFileRW@@" or ".?AVCSinSocket@@". BLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022.
Family metadata imported from Malpedia (Fraunhofer FKIE).