New North Korea Hack: Hijacking Computers to Power Cryptocurrency Mining !
A cybersecurity researcher has found malware that mines a type of cryptocurrency and routes the bounty to a North Korean university, showing how hackers in North Korea are targeting new assets as sanctions force Pyongyang to pursue alternative income streams.
The malware—deployed on Christmas Eve—instructs an infected computer to mine for Monero, a bitcoin alternative, according to a report released Monday by AlienVault, a U.S. cybersecurity firm. Monero describes itself on its website as a “secure, private and untraceable” form of cryptocurrency where users’ accounts and transactions are shielded from “prying eyes.”
The unearthed funds then automatically flow to a server domain at Kim Il Sung University where to access the funds the hacker would enter a three-letter password: KJU, a likely reference to North Korean leader Kim Jong Un.
It is unclear where the virus was planted or how much Monero was extracted, said Chris Doman, an AlienVault threat engineer who identified the malware from a database of computer viruses amassed by VirusTotal, a subsidiary of Alphabet Inc.’s Google. Because only large organizations automatically upload lots of files to VirusTotal, the malware was likely spotted at a big company, Mr. Doman said, though he is unable to determine how many computers were affected—or if the attack continues.
The Monero community, in a Monday statement from several prominent members, said millions of users “trust Monero to be that currency to conduct safe, private transactions.” But “no currency, digital or fiat, is immune to criminal malfeasance,” according to the statement.
The coding is rudimentary, suggesting more a student project than the work of North Korea’s elite hacking unit known as Lazarus. The malware’s creators hid certain files, suggesting the software wasn’t accidental or a prank, Mr. Doman said.
For instance, the malware installs the Monero miner in a folder that is part of the Microsoft Windows operating system, a typical maneuver for illegitimate software. And it installs with the file name “intelservice.exe,” in an attempt to induce a user to confuse it with a product from Intel Corp. , Mr. Doman said.
“There is some type of subterfuge going on,” Mr. Doman said.