Once executed, it copies a file named intelservice.exe to the system, this is the Monero cryptocurrency mining malware.

“The filename intelservice.exe is often associated with crypto-currency mining malware. Based on the arguments it’s executed with, it’s likely a piece of software called xmrig.” reads the analysis published by AlienVault. 

“It’s not unusual to see xmrig in malware campaigns. It was recently used in some wide campaignsexploiting unpatched IIS servers to mine Monero.”

The experts determined that it is a piece of software called xmrig by observing the arguments the file is executed with.

Analyzing the file the researchers discovered both the address of the Monero wallet and the password used that is “KJU”, a possible reference to Kim Jong-un.

The mined currency is sent to the server barjuok.ryongnamsan.edu.kp server located at Kim Il Sung University.

The address barjuok.ryongnamsan.edu.kp address doesn’t currently resolve, either because the app was designed to run on the university’s network, or because it was no longer in use.

“It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining.” continues the analysis.

“On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software.”

Security experts pointed out that North Korea-linked group Lazarus was already involved in attacks involving cryptocurrencies.

In December, security experts from Secureworks revealed the Lazarus APT group launched a spearphishing campaign against a London cryptocurrency company.

The attacks focused on Monero conducted by North Korean threat actors were associated with Bluenorroff and Andariel hackers, who are considered as being part of the Lazarus group. Researchers from AlienVault highlighted that they haven’t discovered evidence to link the newly found Installer to any attacks attributed to Lazarus.

“We have not identified anything linking our Installer to these attacks. The Lazarus attackers have capable developers, and craft their own malware from a library of low-level code.” concluded the research. “Given the amateur usage of Visual Basic programming in the Installer we analysed, it’s unlikely the author is part of Lazarus. As the mining server is located in a university, we may be looking at a university project.”

Experts also made another hypothesis, someone inside the University developed the project to test the use of cryptocurrency in a country hit hard by sanctions.

Pierluigi Paganini

(Security Affairs – North Korea, Monero Miner)

[adrotate banner=”5″]

[adrotate banner=”13″]