BLINDINGCAN: A New Trojan Strain Abusing Microsoft Attached Document Template

The US Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have published Malware Analysis Report (AR20-232A) warning of a new strain of malware named “BLINDINGCAN”. This is a remote access Trojan (RAT) created by North Korean state-sponsored hackers to perform a series of attacks against both US and overseas corporations operating in the military defense and aerospace sectors for confidential intelligence and secret information.

In this blog, we analyze the concealed tactics of the threat actor, describe the malware infection vector and its execution, and provide the solution to prevent this type of attack.

Infection Vector

The malware was injected into the victims' system via a phishing campaign that mimics job postings from leading defense and aerospace enterprises. The victims were requested to open an attached MS Word document, which eventually infects their systems. The attack scenarios seem to be familiar and easy-to-detect. However, in this campaign, the North Korean hackers used no embedded malware or VBA macro within the attached document but used AttachedTemplate method to download an infected file from an external source upon opening and execute it. Possibly, the external object was used to create a multiple-stage attack to bypass AVs. This evasive attack technique is not new but still very efficient to circumvent and mitigate detection.

You can find the detailed scan result conducted by our MetaDefender Cloud here. Only 14/38 AV engines caught the threat.

Let’s investigate 3 attack demonstrations using OLE objects hereunder to understand why this evasive trick is dangerous and how to prevent it.

Embedded object VS Macro VS attached template, how do they work?

In the first demo, we inserted malware into an MS Word document as an OLE object.

Having the document scanned by MetaDefender Cloud, even though MetaDefender Cloud is not configured to extract Microsoft Office files, 9 AVs successfully detected the embedded malware. There will be more engines detecting the malware if the document is scanned by MetaDefender Core (the on-premises version with full configuration capabilities), where extraction is enabled.

For the second demo, we used an embedded Macro to download the malware. There were 4 engines detecting the threat.

Lastly, we replaced the above malware with an external eicar file using the AttachedTemplate method. As a result, only 1 AV could detect the threat.

By and large, in the first demos, as an embedded object, the malware exists in the “embeddings” folder that enables the AVs to detect easily.

However, if it’s a linked object as shown in the second and third demos, it will be much harder for AVs to detect the threat. These types of attacks are effective against signature-based defenses as the malware is not downloaded until the victims open the file.

For attacks using an embedded macro, some detection-based protection systems can identify the malware thanks to malicious code within the file. Nevertheless, when the malware downloaded from an external source by leveraging the Attached Document Template, the only suspicious element is the URL in the XML file. Unfortunately, most of the existing AVs in the market don’t have the capability to scan URLs. Also, the malicious URL can be changed anytime.

Solution: OPSWAT Deep Content Disarm and Reconstruction (Deep CDR)

OPSWAT Deep CDR is an advanced threat prevention technology that does not rely on detection. Instead, it assumes all files are malicious and sanitizes and rebuilds each file ensuring full usability with safe content. Regardless of what type of OLE objects, Deep CDR identifies them as potential threat objects and removes all of them from the file. Consequently, all 3 infection vectors mentioned above are no longer usable. The users will receive a safe file with full functionality.

After being processed by Deep CDR, all three samples are threat-free. Even embedded files like images are also recursively sanitized to ensure 100% threat prevention.

Deep CDR ensures every file entering into your organization is not harmful helping you prevent zero-day attacks and evasive malware. Our solution supports sanitization for over 100 common file types, including PDF, Microsoft Office files, HTML, image files, and many regional-specific formats such as JTD and HWP.

Contact us to understand more about OPSWAT advanced technologies and protect your organization from increasingly sophisticated attacks.

Reference:

Malwrologist, 2020. A Close Look At Malicious Documents (Part I ). [online] Malware Analysis. Available at <https://dissectmalware.wordpre...> [Accessed 7 September 2020].

Us-cert.cisa.gov. 2020. MAR-10295134-1.V1 – North Korean Remote Access Trojan: BLINDINGCAN | CISA. [online] Available at: <https://us-cert.cisa.gov/ncas/... > [Accessed 7 September 2020].