Newly Detected Malware Mines Monero, Sends It To North Korean University

Newly Detected Malware Mines Monero, Sends It To North Korean University




US cybersecurity firm finds malware that compromises PCs to mine Monero and sends it to a Pyongyang university.


Analysts at a US cybersecurity firm have detected an apparent new installer for a virus that mines Monero and sends it to a university in Pyongyang, North Korea.



As the cybersecurity firm AlienVault reported Jan. 8, the malware surfaced around Christmas Eve and contains facilities that automatically deposit Monero to a wallet associated with North Korea’s Kim Il Sung University.



AlienVault  notes certain contradictory characteristics in the malware, making it difficult to ascertain its author, purpose and likely metamorphosis. In their report, the researcher comments:




“It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining. On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software.”




Noting the “unusually open” nature of the alleged host university, it could even be that the author is not North Korean, or that the recipient is in fact not what it seems.



The AlienVault report breaks down the possible scenarios, given the data at hand:




“The hostname barjuok.ryongnamsan.edu.kp address doesn’t currently resolve. That means the software can’t send mined currency to the authors - on most networks. It may be that:




  1. The application is designed to be run within another network, such as that of the university itself;

  2. The address used to resolve but no longer does; or

  3. The usage of a North Korean server is a prank to trick security researchers.”




AlienVault also notes that if the North Korean government is in fact behind the operation, it may be part of a move to use cryptocurrency to “provide a financial lifeline” in light of sanctions against the country.



In late December, the CEO of Crowdstrike, a US cybersecurity company, told reporters that he was certain the North Korean government was stealing and stockpiling cryptocurrency.



The new malware’s appearance marks the latest phase in the cyberwarfare afflicting the two Koreas. Last month, North Korean state-funded hackers were reportedly heavily involved in cryptocurrency theft targeting the South Korea’s exchanges.



In an experimental ‘white hat hack’ in late December, a Seoul-based media outlet used security experts to successfully compromise accounts it created on five major South Korean cryptocurrency exchanges, highlighting the ease with which malicious parties could steal funds.