Analysts at a US cybersecurity firm have detected an apparent new installer for a virus that Monero mines and sends him to a university in Pyongyang, North Korea.
As the cybersecurity company AlienVault reported on January 8, the malware appeared around Christmas Eve and contains services that automatically deposit Monero into a wallet associated with North Korea’s Kim Il Sung University.
AlienVault observes certain contradictory characteristics in the malware, so it is difficult to determine its author, purpose and probably metamorphosis. In his report, the researcher comments:
“It is not clear if we are seeing an early test of an attack, or part of a” legitimate “mining operation where the owners of the hardware are aware of mining. However, the sample contains obvious printed messages for debugging that an attacker could avoid. But it also contains fake names that appear to be an attempt to avoid detection of the installed mining software. “
Pointing to the “unusually open” nature of the alleged host university, it could even be that the author is not from North Korea, or that the recipient is not what it seems.
The AlienVault report breaks the possible scenarios, taking into account the data at hand:
“The address whose server name is barjuok.ryongnamsan.edu.kp, does not currently work. This means that the software can not send mined coins to the authors in most networks. It is possible that:
The application is designed to run within another network, like that of the university itself;
the address used to function does not do it anymore; or
the use of a server from North Korea is a joke to fool security researchers. ”
AlienVault also points out that if North Korea’s government is behind the operation, it may be part of a movement to use cryptocurrencies to “provide a financial lifeline” in the light of sanctions against the country.
At the end of December, the CEO of Crowdstrike, a US cybersecurity company, told reporters that he was convinced that the North Korean government was stealing and storing cryptocurrencies.
The appearance of the new malware marks the last phase in the cyber war that afflicts the two Koreas. Last month, hackers from the northern country were heavily involved, according to reports, in cryptocurrency thefts aimed at the South Korean exchange.
In an experimental “white hat check” project in late December, a Seoul-based media company used security experts to compromise accounts they created in five large digital currency exchanges in South Korea, highlighting the ease with which that malicious third parties could steal funds.