As the cybersecurity firm AlienVault reported Jan. 8, the malware surfaced around Christmas Eve and contains facilities that automatically deposit Monero to a wallet associated with North Korea’s Kim Il Sung University.
AlienVault notes certain contradictory characteristics in the malware, making it difficult to ascertain its author, purpose and likely metamorphosis. In their report, the researcher comments:
“It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining. On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software.”
Noting the “unusually open” nature of the alleged host university, it could even be that the author is not North Korean, or that the recipient is in fact not what it seems.
The AlienVault report breaks down the possible scenarios, given the data at hand:
“The hostname barjuok.ryongnamsan.edu.kp address doesn’t currently resolve. That means the software can’t send mined currency to the authors – on most networks. It may be that:
- The application is designed to be run within another network, such as that of the university itself;
- The address used to resolve but no longer does; or
- The usage of a North Korean server is a prank to trick security researchers.”