The computer analytics company AlienVault has detected an installer of an application to mine Monero, whose income is allegedly sent to Kim Il Sung University in Pyongyang, North Korea.
The installer is responsible for copying a file called intelservice.ex on the computer, which according to researchers is partially similar to the xmrig software. This software, according to a report, has led several recent campaigns to spread malware worldwide.
Interestingly, the address of Monero and the domain of the server that receives the mined, indicate that this server is located at the Kim Il Sung University. In addition, his access password is KJU, a clear reference to President Kim Jong-Un
The application, they specify, is also designed to connect and be executed between several networks, such as the University's. However, the researchers found that the management used to mine but no longer does it, considering that it could be a trap for security researchers, in addition to not being clear if they are observing early evidence of this attack, or is part of an operation of legitimate mining in which the owners of the equipment are aware that this is happening.
Everything is confusing, in the first instance. As exemplified, one of the messages detected includes code to debug computers, something that a cybernetic pirate would certainly not use. However, it also contains false file names that seem to avoid being detected by security mechanisms.
In turn, two lines of code suggest that the software was created by distinctly different developers but that they copied the code from the same place. According to the analysis, the place where the code was uploaded and the text in French language suggests that the author of these two lines of code resides in Morocco.
Analysts also take into account that various groups of hackers related to North Korea have already done campaigns to infect crypto currency mining servers. The Bluenorroff group compromised some servers and also tried to steal $ 951 million from the Bank of Bangladesh, a mission in which they were partially successful. The group Andariel, miner monero from the servers of a South Korean company, may be an evolution of the BlackMine group, known for having stolen funds from the Ministry of Defense of South Korea. Everyone responds to the Lazarus organization, a group of high-level hackers who have connections with North Korea.
Lazarus can include among its members UNIVERSITY IN NORTH KOREA RECEIVES FUNDS IN MONEY BY MINING MALWARE quite experienced, capable of creating malicious software from a mediocre code found in any internet forum. However, they rule out that the hacker belongs to this group because the analyzed installer does not have a very experienced handling of the Visual Basic programming language. Thus, they culminate with the fact that since the server is housed in a university, it could be an academic project. Recently, the Pyongyang University of Science and Technology invited foreign experts to teach a class on criticism. Alien Vault suggests that perhaps the installer analyzed is the most recent product of these classes.
Finally, they state that the few IP addresses assigned to North Korea allowed detecting one of them, 175.45.178.19, which has been very active in cryptocurrency exchange houses, in addition to having been related to the attack on web servers known as BlackMine between 2014 and 2016, something that given the limited amount of IP addresses in North Korea, could be a coincidence.
During the past year, North Korea led several security incidents of global reach, accusing it of spreading the Wannacry ransomware virus by the White House, as well as the theft of cryptocurrencies to the Bithumb exchange house, one of the main ones in South Korea.
@OriginalWorks
The @OriginalWorks bot has upvoted and checked this post!
Some similarity seems to be present here:
http://dailybusinessnews.com/tag/sung/
This is an early BETA version. If you cited this source, then ignore this message! Reply if you feel this is an error.