According to the cybersecurity firm AlienVault, a new virus program that mines Monero coin and sends to a university in Pyongyang, North Korea is spreading to unprotected computers. The virus program was first identified around Christmas Eve. The program is found to direct the mined Monero coin to a wallet associated with North Korea’s Kim II Sung University. The program, however, has certain unique characteristics, which makes it difficult to identify its author and purpose.
Usually, such virus programs will not openly reveal the end point where the coins are sent. In this case, the unusual openness creates a doubt as to whether the virus program was really created by a North Korean or not. AlienVault stated “The hostname barjuok.ryongnamsan.edu.kp address doesn’t currently resolve. That means the software can’t send mined currency to the authors – on most networks.”
Further, AlienVault has provided the following details:
1. The application will run within another network.
2. The address no longer resolves. So, the use of a North Korean server can be even a prank to fool security researchers.
Regarding the alleged virus program, AlienVault issued the following statement:
“It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining. On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software.”
Earlier in December, the CEO of a US cybersecurity company Crowdstrike opined that North Korean government is stealing and stockpiling crypto currency. It can be remembered that the North Korean hackers were allegedly involved in looting of coins from the South Korean exchanges.
Andariel, a North Korean hacking group, gained control over a South Korean organization’s server in mid-2017. It utilized the power of the server to mine around 70 Monero coins, which was trading at about $371 at that time. Andariel was able to have a control over the server without being identified.
The value of coins mined was only about $26,000, based on the traded price at that time. However, it is a matter of serious concern as North Korea is certainly expected to use the money to fund its nuclear weapon program. A cybersecurity firm FireEye announced that it has found at least three such hacking incidents since May 2017.