Malware

Mysterious findings emerged from the analysis of the SiliVaccine North Korea’s antivirus software

Security experts at Check Point that analyzed North Korea’s antivirus software SiliVaccine discovered it is based on a 10-year-old anti-malware engine developed by Trend Micro.

Check Point received the very rare sample of North Korea’s SiliVaccine antivirus software from the freelance journalist Martyn Williams.

The researchers discovered the SiliVaccine application contained “large chunks of 10+-year-old antivirus engine code belonging to Trend Micro,” a circumstance confirmed by Trend Micro.

“In an exclusive piece of research, Check Point Researchers have carried out a revealing investigation into North Korea’s home-grown anti-virus software, SiliVaccine. One of several interesting factors is that a key component of SiliVaccine’s code is a 10-year-old copy of one of Trend Micro’s, a Japanese company, software components.” reads the analysis published by CheckPoint.

On July 8th 2014 Mr. Williams received a mail containing a link to the software, the message was sent by someone going by the name of ‘Kang Yong Hak’, whose mailbox has since been rendered unreachable.

Kang Yong Hak is believed to be a Japanese engineer, the email contained a link to a Dropbox-hosted zip file that held a copy of the SiliVaccine software, a readme file in Korean language explaining how to use the software and a suspicious looking file posing as a patch for SiliVaccine.

The analysis revealed an interesting feature, the North Korea’s antivirus software whitelisted mystery malware, its signature, in fact, was detected by the legitimate Trend Micro’s solution.

According to the experts, the whitelisted mystery malware may be nation-state malware that North Korea wants to use for surveillance purposes.

“During our research we discovered that the authors of SiliVaccine have chosen to white-list a single very specific malware signature, and effectively ignore any detection of files matching that specific signature. The white-listed signature is Trend Micro’s ‘MAL_NUCRP-5’, described by Trend Micro as:

“…the Trend Micro detection for suspicious files that manifest behavior and characteristics similar to known NUWAR, TIBS, and ZHELAT variants.” continues the analysis.

“This signature doesn’t seem to be related to any one specific malware, but rather seems to detect specific packing related characteristics common in some malware.”

Check Point discovered other singularities, for example, the use of the Themida and Unopix packers commonly used to make malware analysis very hard.

As SiliVaccine is the unique antivirus software in North Korea, the use of the packers could be motivated with the intent of the author to make hard its analysis by foreign actors.

CheckPoint also discovered that the antivirus solution used a custom encryption protocol to encrypt pattern files, it is modified SHA1 hashing algorithm.

Experts discovered the SiliVaccine uses 3 driver components:

  • sys – Kernel-mode process information collection module.
  • sys – File system filter driver used for real-time and AV files protection.
  • sys – Network Transport Driver Interface (TDI) Driver.

“This revealing exploration into SiliVaccine may well raise suspicions of authenticity and motives of the IT security products and operations of this Hermit Kingdom.” concludes Check Point.

“While attribution is always a difficult task in cyber security, there are many questions raised by our findings. What is clear, however, are the shady practices and questionable goals of SiliVaccine’s creators and backers.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – SiliVaccine, North Korea)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

1 min ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

4 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

18 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.