SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

A North Korean Monero Cryptocurrency Miner

By Chris Doman, AlienVault

January 9, 2018

AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea.

The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with crypto-currency mining malware. Based on the arguments itís executed with, itís likely a piece of software called xmrig

Itís not unusual to see xmrig in malware campaigns. It was recently used in some wide campaigns exploiting unpatched IIS servers to mine Monero.

The Installer executes Xmrig with the following command:

"-o barjuok.ryongnamsan.edu.kp:5615 -u 4JUdGzvrMFDWrUUwY... -p KJU" + processorCount + " -k -t " + (processorCount -1)"

The installer passes xmrig the following arguments:

  • 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2

  • gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS is the address of the Monero wallet

  • barjuok.ryongnamsan.edu.kp is the mining server that would receive any mined currency. The ryongnamsan.edu.kp domain indicates this server is located at Kim Il Sung University.

  • The password, KJU, is a possible reference to Kim Jong-un

Why was this application created?

The hostname barjuok.ryongnamsan.edu.kp address doesnít currently resolve. That means the software canít send mined currency to the authors - on most networks.

It may be that:

  1. The application is designed to be run within another network, such as that of the university itself;

  2. The address used to resolve but no longer does; or

  3. The usage of a North Korean server is a prank to trick security researchers.

Itís not clear if weíre looking at an early test of an attack, or part of a Ďlegitimateí mining operation where the owners of the hardware are aware of the mining.

On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software.

If the software author is at KSU, they may not be North Korean. KSU is an unusually open University, and has a number of foreign students and lecturers.

Related Samples

We identified two other pieces of software which share some code:

These samples are even simpler, and may be:

  1. Earlier prototypes; or

  2. Software created by entirely different authors that copied code from the same location, for example a forum.

Based on the compilation string, initial upload location and French text - itís likely the author of these two other samples is from Morocco. Therefore 2) may be the more likely scenario. Unless all three samples are a prank by Moroccan hackers.

Monero mining linked to North Korea attackers

There are previous reports of North Korean attackers mining Monero:

  • A group known as Bluenorroff mined Monero on compromised servers during an attempted theft from a bank; and

  • A group known as Andariel mined Monero on the network of a South Korean company they had compromised.

Whilst naming conventions differ somewhat between vendors, Bluenorroff and Andariel are generally considered part of a wider set of attackers known as Lazarus:

  • Bluenorroff are best known for the partially successful theft of $951 million from the Bank of Bangladesh.

  • Andariel are perhaps a later evolution of BlackMine mentioned above. They are notable for recent thefts from the South Korean Ministry of Defense.

  • Lazarus consists of a number of related groups of attackers. They are not the only ďhigh-levelĒ group of attackers with reported links to North Korea.

We have not identified anything linking our Installer to these attacks. The Lazarus attackers have capable developers, and craft their own malware from a library of low-level code. Given the amateur usage of Visual Basic programming in the Installer we analysed, itís unlikely the author is part of Lazarus. As the mining server is located in a university, we may be looking at a university project.

Events in May 2017

When talking about North Korea and crypto-currencies itís worth noting a particular timeline of events. All three of the following events occurred in May 2017 - suggesting a possible sudden central tasking to exploit crypto-currencies:

  1. The WannaCry ransomware attacks;

  2. First reported compromise of a BitCoin exchange (Bithumblinked to North Korea; and

  3. The first BitCoin mining inside North Korea, as reported by RecordedFuture.

Bitcoin Trading from North Korea

North Korea has a very small number of IP addresses assigned to it, which makes interesting events from such IP addresses more noteworthy.

One such IP address, 175.45.178.19, has been active on BitCoin trading sites:

This IP address is fairly notorious. It was used to control compromised web-servers in a set of 2014/2015 attacks linked to North Korea known as BlackMine. Given the small number of IP addresses assigned to North Korea itís probably just a coincidental link. You can also see North Korean IPs torrenting a number of Top Gear series, with a particular fondness for documentaries by James May. Following a similar logic we canít reliably say that North Korean attackers are big Top Gear fans, though it appears someone with internet access in the country is.

The IP overlap is not strong evidence that the same people executing the hacking operations are engaged in trading Bitcoin.

Conclusion

Crypto-currencies could provide a financial lifeline to a country hit hard by sanctions. Therefore itís not surprising that universities in North Korea have shown a clear interest in cryptocurrencies. Recently the Pyongyang University of Science and Technology invited foreign experts to lecture on crypto-currencies. The Installer weíve analysed above may be the most recent product of their endeavours.

Terms of Use | Copyright © 2002 - 2018 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement