Security Experts:

Jaku Botnet: Active Operation With Possible Links to Darkhotel APT Group

Jaku Botnet is an Active Botnet Operation Possibly Controlled by Darkhotel Threat Actors 

Recent analysis of the Jaku botnet by security researchers at Forcepoint provides surprisingly contradictory indications on who might be behind it. On the one hand there are elements of sophisticated professionalism: three separate mechanisms are used to ensure that harvested victim telemetry gets through to the malware authors. But on the other hand, that same telemetry is held in 500 MB files disguised as jpegs. A 500 MB jpeg would be a red flag to any security researcher.

Such contradictions and half clues have led Forcepoint researchers to decline formal attribution. Pressed by SecurityWeek, Andy Settle, Forcepoint's lead analyst on the research, commented, "If we were asked to make an informed assessment, then we would be willing to propose and argue the hypothesis that Darkhotel and Jaku share the same developers and possibly operators. If this hypothesis was accepted, then the inference would be that JAKU and Darkhotel are both campaigns being operated by an organization that is able to draw upon a re-deployable support infrastructure."

The botnet was discovered when Forcepoint, formerly known as Raytheon|Websense, detected the use of 'tactics, techniques and procedures' (TTPs) similar to those used by the Darkhotel APT, a campaign that targeted business travelers in the Asia-Pacific regionThis led to the discovery of a C&C server and the first 500 MB jpeg - which turns out to be a SQLite database of victims' telemetry.

Pivoting off that data, Forcepoint discovered a total of 7 C&C servers. It cannot legally see into the victim machines directly, but can still learn much about them from the collected telemetry. It knows of about 19,000 victims from all around the world. The majority, however, are concentrated in several APAC countries, especially Korea and Japan.

A surprisingly high percentage of the victims use pirated versions of Windows - statistically suggesting that there are even more illegal versions in these APAC countries than was previously believed. One observed attack method is via BitTorrent.

Although the majority of victims are consumer PCs, there are nevertheless a few corporate victims shown in the telemetry. Settle told SecurityWeek, "We also found a number of corporates in there. Those corporates were fairly low in number, but show that it just takes one weak link for the bad guys to get into an enterprise. One example involved a large US corporate. Out of thousands of employees, it had two road warriors on the road with laptops that weren't correctly configured to provide the protection they should have had. This was enough for Jaku to get into the corporate infrastructure via one of the employees."

One rather surprising discovery was that other hackers had located Jaku and were using it at weekends. "We found," said Settle, "that other bad guys found and took over the C&C servers for a bit of weekend Spanish credit card scamming - the Jaku guys came back on Monday and booted them off - which incidentally shows that the Jaku actors don't work over the weekend." He declined to confirm that this suggests the actors behind Jaku are an organized and professional group; but admitted that it is a valid hypothesis.

The big surprise, however, remains the 500 MB telemetry databases half-heartedly disguised as jpegs. "Why would you have your telemetry data sitting in a 500 MB jpeg publicly readable on a web server? I don't have an answer for that." It is even more surprising when you realize that within these large databases there are a relatively few examples of specifically named and targeted individuals. Those individuals all have at least a loose connection to North Korea, although they are not necessarily located in North Korea.

This focus, plus Forcepoint's conclusion that the malware authors are native Korean speakers, has led to some suggestions that Jaku is an elaborate cyberespionage database targeting North Korea. The argument suggests that the large readable telemetry databases are solely intended to hide the existence of the limited actual targets - hiding in plain sight. Neither Settle nor Leonard would comment on this possibility; but its weakness is that it hasn't worked.

Related Reading: Darkhotel Attackers Target Business Travelers via Hotel Networks

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.