A North Korean Monero Cryptocurrency Miner
By Chris Doman, AlienVault
January 9, 2018
AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea.
The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with crypto-currency mining malware. Based on the arguments itís executed with, itís likely a piece of software called xmrig.
Itís not unusual to see xmrig in malware campaigns. It was recently used in some wide campaigns exploiting unpatched IIS servers to mine Monero.
The Installer executes Xmrig with the following command:
"-o barjuok.ryongnamsan.edu.kp:5615 -u 4JUdGzvrMFDWrUUwY... -p KJU" + processorCount + " -k -t " + (processorCount -1)"
The installer passes xmrig the following arguments:
Why was this application created?
The hostname barjuok.ryongnamsan.edu.kp address doesnít currently resolve. That means the software canít send mined currency to the authors - on most networks.
It may be that:
Itís not clear if weíre looking at an early test of an attack, or part of a Ďlegitimateí mining operation where the owners of the hardware are aware of the mining.
On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software.
If the software author is at KSU, they may not be North Korean. KSU is an unusually open University, and has a number of foreign students and lecturers.
We identified two other pieces of software which share some code:
These samples are even simpler, and may be:
Based on the compilation string, initial upload location and French text - itís likely the author of these two other samples is from Morocco. Therefore 2) may be the more likely scenario. Unless all three samples are a prank by Moroccan hackers.
Monero mining linked to North Korea attackers
There are previous reports of North Korean attackers mining Monero:
Whilst naming conventions differ somewhat between vendors, Bluenorroff and Andariel are generally considered part of a wider set of attackers known as Lazarus:
We have not identified anything linking our Installer to these attacks. The Lazarus attackers have capable developers, and craft their own malware from a library of low-level code. Given the amateur usage of Visual Basic programming in the Installer we analysed, itís unlikely the author is part of Lazarus. As the mining server is located in a university, we may be looking at a university project.
Events in May 2017
When talking about North Korea and crypto-currencies itís worth noting a particular timeline of events. All three of the following events occurred in May 2017 - suggesting a possible sudden central tasking to exploit crypto-currencies:
Bitcoin Trading from North Korea
North Korea has a very small number of IP addresses assigned to it, which makes interesting events from such IP addresses more noteworthy.
One such IP address, 22.214.171.124, has been active on BitCoin trading sites:
This IP address is fairly notorious. It was used to control compromised web-servers in a set of 2014/2015 attacks linked to North Korea known as BlackMine. Given the small number of IP addresses assigned to North Korea itís probably just a coincidental link. You can also see North Korean IPs torrenting a number of Top Gear series, with a particular fondness for documentaries by James May. Following a similar logic we canít reliably say that North Korean attackers are big Top Gear fans, though it appears someone with internet access in the country is.
Crypto-currencies could provide a financial lifeline to a country hit hard by sanctions. Therefore itís not surprising that universities in North Korea have shown a clear interest in cryptocurrencies. Recently the Pyongyang University of Science and Technology invited foreign experts to lecture on crypto-currencies. The Installer weíve analysed above may be the most recent product of their endeavours.