North Korean University accused of creating Monero-mining malware

Kim II Sung University accused of trying to raise funds through Monero

A North Korean university has been accused of using Monero-mining malware in a bid to raise much-needed foreign currency.

It is not the first time that North Korea has been accused of resorting to cyber crime in order to make money - the attempted $951m cyber heist on Bangladesh Bank in February 2016 has been attributed to the country.

However, IT security firm AlienVault has accused Kim II Sung University in Pyongyang, the North Korean capital, of creating an application that mines the Monero cryptocurrency.

Rather than deploying widely used malware off the shelf, AlienVault implies that the University is using bespoke malware - and mined Monero is sent direct to the University, making it pretty straightforward where the finger of blame should be pointed, at least on the surface.

In a blog posting, the company explained: "AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea."

It continues: "The installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with crypto-currency mining malware. Based on the arguments it's executed with, it's likely a piece of software called 'xmrig'.

"It's not unusual to see xmrig in malware campaigns. It was recently used in some wide campaigns exploiting unpatched IIS servers to mine Monero."

According to the company, while the server to which the malware seeks to send mined Monero to, barjuok.ryongnamsan.edu.kp, belongs to the University it isn't currently connected to the internet, raising question marks over the true origin and intent of the malware.

AlienVault suggested one of three possibilities:

• The application is designed to be run within another network, such as that of the University itself;
• The address used to resolve but no longer does; or,
• The usage of a North Korean server is a prank to trick security researchers.

The blog continued: "It's not clear if we're looking at an early test of an attack, or part of a ‘legitimate' mining operation where the owners of the hardware are aware of the mining.

"On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software.

"If the software author is at KSU, they may not be North Korean. KSU is an unusually open University, and has a number of foreign students and lecturers."

North Korea, which runs its own organisation, called Room 39, dedicated to raising funds via counterfeiting and illegal narcotics, has in recent years turned its attention to cyber crime.

Mun Chong-hyun, chief analyst of South Korea-based cyber firm ESTsecurity, is one of the people who have been tracing the country's illicit cryptocurrency mining capabilities.

"With economic sanctions in place, cryptocurrencies are currently the best way to earn foreign currency in North Korea's situation. It is hard to trace and can be laundered several times," Mun Chong-hyun told Reuters.