Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Monero Miner Sends Cryptocurrency to North Korean University

An application compiled just weeks ago was found to be an installer for a Monero miner designed to send the mined currency to a North Korean university, AlienVault reports.

An application compiled just weeks ago was found to be an installer for a Monero miner designed to send the mined currency to a North Korean university, AlienVault reports.

The application’s developers, however, might not be of North Korean origins themselves, the security researchers say. They also suggest that the tool could either be only an experimental application or could attempt to trick researchers by connecting to Kim Il Sung University in Pyongyang, North Korea.

Once the discovered installer is run, it copies a file named intelservice.exe to the system, which is often associated with cryptocurrency mining malware. The arguments the file is executed with reveal it is a piece of software called xmrig, a program already associated with wide campaigns exploiting unpatched IIS servers to mine Monero.

Analysis of the file revealed both the address of the Monero wallet and the password (KJU, possible reference to Kim Jong-un) it uses, as well as the fact that it sends the mined currency to the server barjuok.ryongnamsan.edu.kp server. The use of this domain reveals that the server is located at Kim Il Sung University, AlienVault says.

AlienVault’s security researchers also discovered that the specified address doesn’t resolve, either because the app was designed to run on the university’s network, because the address used to resolve in the past, or because it is only meant to trick security researchers.

“It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining,” AlienVault says.

The sample was also found to contain obvious messages printed for debugging as well as fake filenames meant to avoid detection. According to the researchers, if the software author is at the Kim Il Sung University, they might not be North Korean.

“KSU is an unusually open University, and has a number of foreign students and lecturers,” the researchers explain.

Advertisement. Scroll to continue reading.

North Korean attacks focused on Monero mining have been spotted before, such as those associated with Bluenorroff and Andariel hackers, who are generally considered as being part of the Lazarus group. However, AlienVault hasn’t discovered evidence to link the newly found installer to the previous attacks.

“The Lazarus attackers have capable developers, and craft their own malware from a library of low-level code. Given the amateur usage of Visual Basic programming in the Installer we analyzed, it’s unlikely the author is part of Lazarus. As the mining server is located in a university, we may be looking at a university project,” the researchers note.

On the other hand, with the country hit hard by sanctions, crypto-currencies could easily prove highly valuable resources, and a North Korean university’s interest in the area wouldn’t be surprising.

In fact, the Pyongyang University of Science and Technology recently invited foreign experts to lecture on crypto-currencies, and the recently discovered installer might be a product of their endeavors, AlienVault suggests.

Related: Monero Miner Infects Hundreds of Windows Servers

Related: North Korea Accused of Stealing Bitcoin to Bolster Finances

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

Bret Arsenault is retiring from his full-time role after 35 years at Microsoft.

Social engineering defense platform Doppel has appointed Bobby Ford as Chief Strategy and Experience Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.