Since the allegations started being levelled against North Korea for potential involvement in the compromise of Sony Pictures Entertainment, there has been a stark increase in focus on North Korean cyber capabilities from the information security community. This includes, but is certainly not limited to, the outage of North Korea's network blocks and the security vulnerabilities discovered in the custom Linux distribution named Red Star. Recently, a security researcher has pointed out malware which is hosted on the Korean Central News Agency website.
The Korean Central News Agency at kcna.kp has been described as the primary news website for North Korea. The slow to respond website appears to host a number of news stories related to North Korea with a strong focus on Kim Jong Un. A perceptive reader may notice that every picture below contains Kim Jong Un.
This site provides a number of stories (with questionable degrees of truth) in a number of languages. When we view the English version of the site, we can see that a number of these stories appear to be focusing on negative aspects of South Korea, while others focus on Kim Jong Un walking around and looking at things.
Once this ZIP file is downloaded and opened, we can see two executable files inside it.
Install Flash Player 10 ActiveX.exe Install Flash Player 10 Plugin.exe
These executables are intended to be run by an unsuspecting user attempting to install the correct version of Flash in order to get full enjoyment out of the news stories. Without much surprise, these Flash installers being served up on servers not belonging to Adobe are malware.
If we look at these with CylanceV, we can see that our machine learning based detection engine identifies these samples as threats with no doubt in its conviction.
Both these executables were compiled in March of 2012. The antivirus industry's detection of this malware is also strong, likely due to the age of this malware, and how long ago it was submitted to public and private malware feeds. When executed, a legitimate installer for the Adobe product is executed in parallel with malware. The malware binded with these installers injects itself into an instance of Explorer.exe and then proceeds to drop and execute a sequence of other malware samples.
During the execution of these samples, the domain a.gwas.perl.sh is resolved by the malware. The WHOIS information for perl.sh has only changed slightly over time, and appears to have only pointed to the one IP address (220.127.116.11).
dnserver.com 18.104.22.168 None, None, Korea, Republic of
dnsever.co.kr 22.214.171.124 None, None, Korea, Republic of
dnsserver.co.kr 126.96.36.199 None, None, Korea, Republic of
dnsever.kr 188.8.131.52 None, None, Korea, Republic of
myhome.tv 184.108.40.206 None, None, Korea, Republic of
perl.sh 220.127.116.11 None, None, Korea, Republic of
wo.tc 18.104.22.168 None, None, Korea, Republic of
The resulting IP address of the DNS query of a.gwas.perl.sh (22.214.171.124) is then sent a DNS query, where the target domain is a string which presumably identifies features about the infected victim. One detonation of these samples resulted in the following DNS queries.
There have not been any responses observed from 126.96.36.199 for these requests. This IP points to a server in South Korea which appears to have at one point hosted a DNS server and HTTP server. There are a number of other domains which refer to this IP address either now, or during 2014:
When searching for other malware samples that reference this IP address, we also see the domains wakaoo.wo.tc and mbkorean.wo.tc as well as another reference to a.gwas.perl.sh being used in a similar fashion with malware samples going back to 2010. As we can see with CylanceV, our machine learning models detect this malware as well.
This North Korean news site is serving malware with no sign of compromise. This has presumably been the case for at least two years. After some digging into details related to the malware's operation, we can see that this is not the only malware developed by this author, and that they use similar techniques for command and control communications across different samples. If you want to stay safe from this malware, as well as almost all other malware, I highly suggest using CylancePROTECT.
Samples are available on VirusShare.com