Researchers at threat intelligence firm Alien Vault recently stumbled upon a cryptocurrency mining software that mined Monero and sent them to a server owned by Kim Il Sung University in North Korea.
Researchers have tracked down the IP address of a system running a cryptocurrency mining operation to North Korea but feel those behind the operation are not part of the infamous Lazarus Group.
According to the researchers, this isn’t the first time that hackers in North Korea have been involved in a cryptocurrency mining operation. A hacker group dubbed Bluenorroff, which is mostly known for stealing $951 million from the Bank of Bangladesh recently attempted to mine Monero during an attempted theft from a bank, and another group known as Andariel targeted a South Korean firm in order to steal Monero.
Lazarus Group, the infamous and feared North Korean hacker group, recently used a spearphishing campaign to mine Bitcoins. The group sent phishing e-mails to employees at several cryptocurrency firms about a vacant CFO position at a leading London-based cryptocurrency firm. The attachments in those e-mails contained first-stage Remote Access Trojans (RATs) which helped the hackers steal Bitcoins from victims’ systems.
In the latest case, the researchers believe those behind the cryptocurrency mining operation are not associated with the Lazarus Group. This is because the amateur usage of Visual Basic programming in the Installer is not consistent with the way the Lazarus Group writes its codes. According to the researchers, hackers belonging to the Lazarus Group are ‘capable developers, and craft their own malware from a library of low-level code’.
Hackers behind the latest operation download a file named intelservice.exe into systems. This file is known to be associated with cryptocurrency mining and is part of a software called xmrig which has been used to conduct malware campaigns in the past. As such, its usage clearly reveals the intent of those behind the operation.
However, the researchers have reason to believe that the hacker in question may not be a North Korean national. Even though the IP address of the system behind the operation has been located to Kim Il Sung University in Pyongyang, the university hosts a large number of international students and professors, so the hacker could be anyone.
The researchers also identified two other pieces of software and after studying their compilation string, initial upload location and French text, they said they have reason to believe that the hackers are from Morocco. They added that the usage of a North Korean server could be a prank to trick security researchers as well.
‘It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining. On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software,’ they noted.
Even though this particular cryptocurrency mining operation may not have been conducted by North Korea, it doesn’t take away the fact that North Korean hackers have successfully launched a series of mining campaigns in the past year, especially on cryptocurrency firms located in South Korea. Considering that North Korea is feeling the effects of worldwide economic sanctions, researchers believe stealing cryptocurrency from the web could help the country fund its military programme.
‘As sanctions bite further and North Korea becomes more desperate for foreign currency, they will get more aggressive and continue to come after the finance sector. They’re after our money,’ said Robert Hannigan, who retired in March this year after leading the GCHQ for three years, to The Times.
Speaking at the Reuters Cyber Security Summit in November, Dmitri Alperovitch, chief technology officer at CrowdStrike, said that hackers with links to North Korea have so far stolen hundreds of millions of dollars from global banks and may continue to launch sophisticated attacks on financial targets. ‘The difference between theft and destruction is often a few keystrokes,’ he warned.
‘With an army focused on the South, a navy that is limited in reach, and an air force oriented towards defense, North Korea’s main ways to threaten countries beyond its immediate borders are with missiles or with cyber intrusions,’ said Kelsey Atherton, a defence technology journalist.