In the ever-evolving landscape of cybersecurity, threats have become more sophisticated, more targeted, and more relentless. Recently, Mjolnir Security found itself in the midst of a complex investigation that echoed the tension and urgency of a Terminator movie. Much like Sarah Connor being pursued by an unstoppable force, ten credit [...]
Monero is the 13th biggest cryptocurrency by value and has been sold as being more secure than bitcoin. As of the time of writing 1 Monero (XMR) was worth USD 318.16. With rising prices and lack of tracking (unlike bitcoin which can be tracked with wallets) its becoming a prime choice for criminals.
A piece of malware has been found, that places a mining application on a victim’s computer. It is an installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea.
Once the discovered installer is run, it copies a file named intelservice.exe to the system, which is often associated with cryptocurrency mining malware. The arguments the file is executed with reveal it is a piece of software called xmrig, a program already associated with wide campaigns exploiting unpatched IIS servers to mine Monero.
Analysis of the file revealed both the address of the Monero wallet and the password (KJU, possible reference to Kim Jong-un) it uses, as well as the fact that it sends the mined currency to the server barjuok.ryongnamsan.edu[.]kp server. The use of this domain reveals that the server is located at Kim Il Sung University.
The Installer copies a file named intelservice.exe to the system. It’s executed with, it’s likely a piece of software called xmrig. The Installer executes Xmrig with the following command:
The installer passes xmrig the following arguments:
4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS is the address of the Monero wallet
ryongnamsan.edu[.]kp is the mining server that would receive any mined currency. The ryongnamsan.edu[.]kp domain indicates this server is located at Kim Il Sung University.
The password, KJU, is a possible reference to Kim Jong-un
The hostname barjuok.ryongnamsan.edu[.]kp address doesn’t currently resolve. That means the software can’t send mined currency to the authors – on most networks. It may be that:
The application is designed to be run within another network, such as that of the university itself.
The address used to resolve but no longer exists.
The usage of a North Korean server is a prank to trick security researchers.
It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining.
On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software.
If the software author is at KSU, they may not be North Korean. KSU is an unusually open University, and has a number of foreign students and lecturers.
There are two other pieces of software which share some code:
762c3249904a8bf76802effb54426655
42344bb45f351757e8638656e12a0135
Based on the compilation string, initial upload location and French text – it’s likely the author of these two other samples is from Morocco. Therefore the software maybe created by entirely different authors that copied code from the same location, for example a forum.
Despite the sample being almost 11 days old, Virustotal shows only 9 AV vendors have a signature for it:
Alienvault has made a YARA rule you can use to block it:
rule nkminer_monero {
meta:
description = “Detects installer of Monero miner that points to a NK domain”
author = “[email protected]”
tlp = “white”
license = “MIT License”
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to ...
Bridging the Security Gap with Tailored Compliance Solutions In today’s high-stakes business environment, safeguarding your organization’s assets and reputation is paramount. Mjolnir Security’s GAP Assessment service is specifically designed for executive leaders who recognize the critical importance of robust cybersecurity and compliance. Our service offers a comprehensive evaluation of your current security measures against industry-leading ...