articleStartImage

Allegations leveled at North Korea may have been confirmed after a report by AlienVault labs found a virus that mines Monero using the victim’s system, later sending it over to Kim Il Sung University in the country’s capital.

“The installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with cryptocurrency mining malware. Based on the arguments it’s executed with, it’s likely a piece of software called xmrig,” the report said.

According to AlienVault, xmrig has previously been used in attacks that hijacked servers to mine Monero, which provides circumstantial evidence for the suspected North Korean hijackings in Seoul that happened recently.

This virus has been out in the wild since Christmas Eve last year.

The report’s analysis of the code says that the DNS address—barjouk.ryongnamsan.edu.kp—does not provide a proper IP address.

“That means the software can’t send mined currency to the authors—on most netowrks. It may be that:

  1. The application is designed to be run within another network, such as that of the university itself;
  2. The address used to resolve but no longer does; or
  3. The usage of a North Korean server is a prank to trick security researchers,” the report said.

When looking through the application’s code, it’s difficult to tell whether it’s a test suite meant to simulate an attack or it was meant to use the university’s resources to mine the cryptocurrency.

Evidence of both has appeared in the form of debug messages that hackers wouldn’t normally write and fake filenames meant to evade detection by victims. 

This virus was either the result of sloppy coding or unfinished work released prematurely.

Just a few weeks ago, North Korean hackers were also blamed for the WannaCry ransomware attack that hit hundreds of thousands of systems around the world.

The report published by AlienVault labs gives some measure of hard credibility to these accusations, although we still do not know exactly where the malware came from. We only know the fact that it attempts to send mined Monero to a university server in Pyongyang.