Safe Harbor on Cyber is a 'safe harbor' blog site on cyber security for families and small businesses with news on cyber threats, risk, data breach, identity thefts, ransomware, cryptocurrency, and vulnerabilities items.
HomecryptocurrencyExposed: Sending Monero cryptocurrency from miner to North Korean University
January 9, 2018
Exposed: Sending Monero cryptocurrency from miner to North Korean University
This article from SecurityAffairs is interesting and needs a quick read for your awareness on cyber crypto-mining by the North Koreans.
The mined Monero coins are sent to Kim Il Sung University in Pyongyang, North Korea, but experts noted that the developers might not be of North Korean origins.
The KSU is an unusually open University, it is attended by a number of foreign students and lecturers.
The researchers speculate the application could either be an experimental software or could be a prank to trick security researchers by connecting to Kim Il Sung University in Pyongyang, North Korea.
Once executed, it copies a file named intelservice.exe to the system, this is the Monero cryptocurrency mining malware.
“The filename intelservice.exe is often associated with crypto-currency mining malware. Based on the arguments it’s executed with, it’s likely a piece of software called xmrig.” reads the analysis published by AlienVault.
“It’s not unusual to see xmrig in malware campaigns. It was recently used in some wide campaignsexploitingunpatched IIS servers to mine Monero.”
The experts determined that it is a piece of software called xmrig by observing the arguments the file is executed with -Analyzing the file the researchers discovered both the address of the Monero wallet and the password used that is “KJU”, a possible reference to Kim Jong-un.
The mined currency is sent to the server barjuok.ryongnamsan.edu.kp server located at Kim Il Sung University.
The address barjuok.ryongnamsan.edu.kp address doesn’t currently resolve, either because the app was designed to run on the university’s network, or because it was no longer in use.
“It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining.” continues the analysis.
“On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software.”
Security experts pointed out that North Korea-linked group Lazarus was already involved in attacks involving cryptocurrencies.
Experts spotted Monero cryptominer sending currency to North Korean University
Security researchers at AlienVault labs recently analyzed an application compiled on Christmas Eve 2017 that is an installer for a Monero cryptocurrency miner. The mined Monero coins are sent to Kim Il Sung University in Pyongyang, North Korea, but experts noted that the developers might not be of North Korean origins. The KSU is an unusually open University, it is attended… Experts spotted Monero cryptominer sending currency to North Korean University
Pseudo author name by David S. Eng offers valuable information and cyber threat incident alerts to protect, prevent, mitigate, respond, recover, and learn about Cybersecurity threats to your business and family. CyberWisdom author curated Cyber Security Information and News Feeds and Articles. He has six years of hands on experiences as the principal researcher for DHS Cybersecurity Pilot Program on cyber threat intelligence, risk management, cyber technologies, web collaboration tools.