AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea.
The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with crypto-currency mining malware. Based on the arguments it’s executed with, it’s likely a piece of software called xmrig.
It’s not unusual to see xmrig in malware campaigns. It was recently used in some wide campaigns exploiting unpatched IIS servers to mine Monero.
The Installer executes Xmrig with the following command:
“-o barjuok.ryongnamsan.edu.kp:5615 -u 4JUdGzvrMFDWrUUwY… -p KJU” + processorCount + ” -k -t ” + (processorCount -1)”
The installer passes xmrig the following arguments:
- 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS is the address of the Monero wallet
- ryongnamsan.edu.kp is the mining server that would receive any mined currency. The ryongnamsan.edu.kp domain indicates this server is located at Kim Il Sung University.
- The password, KJU, is a possible reference to Kim Jong-un
Why was this application created?
The hostname barjuok.ryongnamsan.edu.kp address doesn’t currently resolve. That means the software can’t send mined currency to the authors – on most networks.
It may be that:
- The application is designed to be run within another network, such as that of the university itself;
- The address used to resolve but no longer does; or
- The usage of a North Korean server is a prank to trick security researchers.
It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining.
On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software.
If the software author is at KSU, they may not be North Korean. KSU is an unusually open University, and has a number of foreign students and lecturers.
Photo of KSU from exploredprk.com
We identified two other pieces of software which share some code:
These samples are even simpler, and may be:
- Earlier prototypes; or
- Software created by entirely different authors that copied code from the same location, for example a forum.
Based on the compilation string, initial upload location and French text – it’s likely the author of these two other samples is from Morocco. Therefore 2) may be the more likely scenario. Unless all three samples are a prank by Moroccan hackers.
Monero mining linked to North Korea attackers
There are previous reports of North Korean attackers mining Monero:
- A group known as Bluenorroff mined Monero on compromised servers during an attempted theft from a bank; and
- A group known as Andariel mined Monero on the network of a South Korean company they had compromised.
Whilst naming conventions differ somewhat between vendors, Bluenorroff and Andariel are generally considered part of a wider set of attackers known as Lazarus:
- Bluenorroff are best known for the partially successful theft of $951 million from the Bank of Bangladesh.
- Andariel are perhaps a later evolution of BlackMine mentioned above. They are notable for recent thefts from the South Korean Ministry of Defense.
- Lazarus consists of a number of related groups of attackers. They are not the only “high-level” group of attackers with reported links to North Korea.
We have not identified anything linking our Installer to these attacks. The Lazarus attackers have capable developers, and craft their own malware from a library of low-level code. Given the amateur usage of Visual Basic programming in the Installer we analysed, it’s unlikely the author is part of Lazarus. As the mining server is located in a university, we may be looking at a university project.
Events in May 2017
When talking about North Korea and crypto-currencies it’s worth noting a particular timeline of events. All three of the following events occurred in May 2017 – suggesting a possible sudden central tasking to exploit crypto-currencies:
- The WannaCry ransomware attacks;
- First reported compromise of a BitCoin exchange (Bithumb) linked to North Korea; and
- The first BitCoin mining inside North Korea, as reported by RecordedFuture.
Bitcoin Trading from North Korea
North Korea has a very small number of IP addresses assigned to it, which makes interesting events from such IP addresses more noteworthy.
One such IP address, 220.127.116.11, has been active on BitCoin trading sites:
This IP address is fairly notorious. It was used to control compromised web-servers in a set of 2014/2015 attacks linked to North Korea known as BlackMine. Given the small number of IP addresses assigned to North Korea it’s probably just a coincidental link. You can also see North Korean IPs torrenting a number of Top Gear series, with a particular fondness for documentaries by James May. Following a similar logic we can’t reliably say that North Korean attackers are big Top Gear fans, though it appears someone with internet access in the country is.
The IP overlap is not strong evidence that the same people executing the hacking operations are engaged in trading Bitcoin.
Crypto-currencies could provide a financial lifeline to a country hit hard by sanctions. Therefore it’s not surprising that universities in North Korea have shown a clear interest in cryptocurrencies. Recently the Pyongyang University of Science and Technology invited foreign experts to lecture on crypto-currencies. The Installer we’ve analysed above may be the most recent product of their endeavours.