Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/8/2018
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Cryptocurrency Mining Malware Has Links to North Korea

A malware tool for stealthily installing software that mines the Monero virtual currency looks like the handiwork of North Korean threat actors, AlienVault says.

A security vendor has found another clue that North Korea may be turning to illegal cryptocurrency mining as a way to bring cash into the nation's economy amid tightening international sanctions.

AlienVault on Monday said it had recently discovered malware that is designed to stealthily install a miner for Monero, a Bitcoin-like cryptocurrency, on end-user systems and to send any mined coins to the Kim Il Sung University (KSU) in Pyongyang.

The malicious installer appears to have been created just before Christmas 2017 and is designed to install xmrig, an open source miner for Monero.

The link to the university itself doesn't appear to be working, however, meaning the software cannot send any mined coins back to its authors. The malware itself appears pretty basic, and the inclusion of the KSU server in the code could simply be a false flag to trick security researchers. Even so, the malware is consistent with previous similar campaigns tied to North Korea, AlienVault said.

"Cryptocurrencies could provide a financial lifeline to a country hit hard by sanctions," the vendor said. "Therefore it's not surprising that universities in North Korea have shown a clear interest in cryptocurrencies."

A cryptocurrency mining tool like xmrig is basically designed to harness the processing power of a computer in order to verify transactions in a blockchain. Users who put their computers to work mining virtual currencies such as Bitcoin and Monero typically receive small monetary rewards for allowing their hardware to be used for the purpose.

Crypto mining is legitimate activity. Some, like Coinhive, even distribute miners to website operators so users can run it in their browsers in exchange for an ad-free experience. In recent years, though, cybercriminals have increasingly begun hijacking computers in order to mine cryptocurrency for illegal profit.

In a report last September, IBM said that between January and July 2017 it had seen a six-fold increase in CPU mining attacks involving the use of malware for installing virtual currency mining tools against its customers. The tools typically were embedded in fake image files that were hosted on infiltrated servers running WordPress or Joomla. Most of the attacks that IBM analyzed were designed to target virtual currencies such as Monero, whose CryptoNight algorithm can run on ordinary PCs and servers compared to the specialized hardware required for Bitcoin mining.

Last September, Kaspersky Lab reported finding two relatively large botnets comprised of computers infected with malware for installing legitimate cryptocurrency miners on them. The security vendor estimated that a 4,000-computer botnet used for cryptocurrency mining was netting its operators up to $30,000 a month, while a bigger 5,000-computer botnet was garnering its operators some $200,000 a month.

"As the price of crypto-currencies increase, so do the incentives to infect people with mining malware," says Chris Doman, security researcher at AlienVault. "Monero is becoming a popular choice as it is both more anonymous and more profitable to mine with malware."

Security researchers have found plenty of clues in recent months to suggest that Korea-linked threat actors like the Lazarus Group and others are actively engaged in cryptocurrency mining. Earlier this month, Bloomberg reported an incident in which a North Korea threat group called Andariel hijacked a server belonging to a South Korean organization and used it to mine about 70 Montero coins.

The Lazarus group has been caught doing Monero mining on compromised networks and attacking Bitcoin exchanges, Doman says. There have also been several public reports of North Korean universities looking into mining cryptocurrencies, Doman says. So while it is hard to say with complete certainty if the malware that AlienVault discovered is the work of North Korean actors, chances are high it is, he notes.

"The main takeaway for me is that this fits into the larger picture of North Korea and cryptocurrencies."

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mmckeown
50%
50%
mmckeown,
User Rank: Apprentice
3/3/2018 | 7:55:59 PM
Excellent Summary
Excellent Summary, appreciate the writeup.
mmckeown
50%
50%
mmckeown,
User Rank: Apprentice
3/3/2018 | 7:54:20 PM
Excellent Summary
Hello Jai, excelent summary.  Appreciate the writeup.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.