Malware found mining cryptocurrency and secretly sending coins to a North Korean university

Security researchers have uncovered a software that mines cryptocurrency and then routes any mined coins to a university in North Korea. According to researchers at cybersecurity firm Alien Vault, the application deployed on Christmas Eve (24 December) uses infected host computers to mine Monero and then send over the mined digital currency to Kim Il Sung University in Pyongyang.

The revelation seems to highlight efforts by those in North Korea to find alternative sources of revenue in a country squeezed by tighter international sanctions and trade restrictions.

"Crypto-currencies could provide a financial lifeline to a country hit hard by sanctions," researchers said in a release. "Therefore it's not surprising that universities in North Korea have shown a clear interest in cryptocurrencies.

"Recently the Pyongyang University of Science and Technology invited foreign experts to lecture on crypto-currencies. The Installer we've analysed may be the most recent product of their endeavours."

However, researchers noted that the North Korean server used in the scheme does not seem to be connected to the wider internet and could have been set up to "trick" security researchers into believing that the funds are being channeled to the hermit kingdom.

Researchers added that if the developer behind the installer is at the university, they may not be North Korean since KSU has a number of foreign students and lecturers.

"It's not clear if we're looking at an early test of an attack, or part of a 'legitimate' mining operation where the owners of the hardware are aware of the mining," researchers said.

As cryptocurrency has risen in popularity and value in recent years, many nefarious actors have also looked to tap into the burgeoning market through browser-based cryptominers and cryptojacking popular websites.

Security researchers have also observed North Korea hackers heavily targeting South Korean cryptocurrency exchanges last year.

AlienVault researchers, however, said it is unlikely that the new cryptomining attack is linked to earlier advanced attacks by "high level" North Korean hackers such as the Lazarus group.

"We have not identified anything linking our Installer to these attacks," researchers said. "The Lazarus attackers have capable developers, and craft their own malware from a library of low-level code. Given the amateur usage of Visual Basic programming in the Installer we analysed, it's unlikely the author is part of Lazarus. As the mining server is located in a university, we may be looking at a university project."

Given that North Korea has few IP addresses assigned to it, AlienVault observed that one IP address – 175.45.178.19 – has been active on Bitcoin trading websites. The address has also been used in earlier cyberattacks targeting South Korean energy, telecommunications, broadcasting, political and financial institutions.

"This IP address is fairly notorious. It was used to control compromised web-servers in a set of 2014/2015 attacks linked to North Korea known as BlackMine," researchers said. "Given the small number of IP addresses assigned to North Korea it's probably just a coincidental link."

"You can also see North Korean IPs torrenting a number of Top Gear series, with a particular fondness for documentaries by James May. Following a similar logic we can't reliably say that North Korean attackers are big Top Gear fans, though it appears someone with internet access in the country is."