AI adoption in the enterprise world is skyrocketing, yet it brings a major risk—data security. Many employees are turning to external AI tools like ChatGPT to draft documents, analyze data, and streamline work. While these tools offer convenience, they also expose organizations to data theft, accidental leaks, and compliance violations. [...]
Monero is the 13th biggest cryptocurrency by value and has been sold as being more secure than bitcoin. As of the time of writing 1 Monero (XMR) was worth USD 318.16. With rising prices and lack of tracking (unlike bitcoin which can be tracked with wallets) its becoming a prime choice for criminals.
A piece of malware has been found, that places a mining application on a victim’s computer. It is an installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea.
Once the discovered installer is run, it copies a file named intelservice.exe to the system, which is often associated with cryptocurrency mining malware. The arguments the file is executed with reveal it is a piece of software called xmrig, a program already associated with wide campaigns exploiting unpatched IIS servers to mine Monero.
Analysis of the file revealed both the address of the Monero wallet and the password (KJU, possible reference to Kim Jong-un) it uses, as well as the fact that it sends the mined currency to the server barjuok.ryongnamsan.edu[.]kp server. The use of this domain reveals that the server is located at Kim Il Sung University.
The Installer copies a file named intelservice.exe to the system. It’s executed with, it’s likely a piece of software called xmrig. The Installer executes Xmrig with the following command:
"-o barjuok.ryongnamsan.edu.kp:5615 -u 4JUdGzvrMFDWrUUwY... -p KJU" + processorCount + " -k -t " + (processorCount -1)"
The installer passes xmrig the following arguments:
The hostname barjuok.ryongnamsan.edu[.]kp address doesn’t currently resolve. That means the software can’t send mined currency to the authors – on most networks. It may be that:
It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining.
On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software.
If the software author is at KSU, they may not be North Korean. KSU is an unusually open University, and has a number of foreign students and lecturers.
There are two other pieces of software which share some code:
Based on the compilation string, initial upload location and French text – it’s likely the author of these two other samples is from Morocco. Therefore the software maybe created by entirely different authors that copied code from the same location, for example a forum.
Despite the sample being almost 11 days old, Virustotal shows only 9 AV vendors have a signature for it:
Alienvault has made a YARA rule you can use to block it:
rule nkminer_monero {
meta:
description = “Detects installer of Monero miner that points to a NK domain”
author = “[email protected]”
tlp = “white”
license = “MIT License”
strings:
$a = “82e999fb-a6e0-4094-aa1f-1a306069d1a5” nocase wide ascii
$b = “4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRy5YeFCqgoUMnzumvS” nocase wide ascii
$c = “barjuok.ryongnamsan.edu.kp” nocase wide ascii
$d = “C:\\SoftwaresInstall\\soft” nocase wide ascii
$e = “C:\\Windows\\Sys64\\intelservice.exe” nocase wide ascii
$f = “C:\\Windows\\Sys64\\updater.exe” nocase wide ascii
$g = “C:\\Users\\Jawhar\\documents\\” nocase wide ascii
condition:
any of them
}
As usual, here are the indicators of compromise:
| type | value |
| Destination IP | 175.45.178.19 |
| hostname | barjuok.ryongnamsan.edu.kp |
| md5 | 762c3249904a8bf76802effb54426655 |
| md5 | 42344bb45f351757e8638656e12a0135 |
| md5 | 6a261443299788af1467142d5f538b2c |
| md5 | 762c3249904a8bf76802effb54426655 |
| md5 | 42344bb45f351757e8638656e12a0135 |
| md5 | 6a261443299788af1467142d5f538b2c |
| sha1 | 0def199dbdb8dccf380511f67138088148ea83a3 |
| sha1 | 7cab4853c370a2dd299a5ab3ebeccfe17455cb43 |
| sha1 | 8965381377a884aa68eeb451b3e62175968b0b04 |
| sha256 | 42300b6a09f183ae167d7a11d9c6df21d022a5f02df346350d3d875d557d3b76 |
| sha256 | 0024e32c0199ded445c0b968601f21cc92fc0c534d2642f2dd64c1c978ff01f3 |
| sha256 | c599f3ca3417169e4a620b8231f8a97ccc63e291b9e09c888e6807dd90f1f17c |
References:
Header image from: ukrnames.com
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to ...
In today’s cybersecurity landscape, defenders must be adaptive, analytical, and battle-ready. While many training environments rely on staged attack simulations and pre-recorded log data, Mjolnir Security has built a next-generation wargaming platform that immerses trainees in real-time cyber battles—where adversaries are not scripted bots but actual threat actors attacking real-world infrastructure. This unparalleled approach to ...