Security Experts:

Connect with us

Hi, what are you looking for?



Trend Micro Scan Engine Used by North Korea’s SiliVaccine Antivirus

Researchers have analyzed an older version of North Korea’s SiliVaccine antivirus and discovered that it uses an outdated scanning engine from Japanese security solutions provider Trend Micro.

Researchers have analyzed an older version of North Korea’s SiliVaccine antivirus and discovered that it uses an outdated scanning engine from Japanese security solutions provider Trend Micro.

Obtaining SiliVaccine is not an easy task, but a copy of the software was sent back in 2014 to Martyn Williams, a journalist specializing in North Korean technology. Williams published a review of the antivirus in September 2014.

The journalist recently provided a copy of the software to researchers at Check Point, who made a series of interesting discoveries.

Williams received a copy of SiliVaccine via email from an individual claiming to be a Japanese engineer named Kang Yong Hak, who provided the antivirus to the journalist along with what appeared to be a patch.


Check Point’s analysis of SiliVaccine revealed that the antivirus – apparently a version from 2013 – relied on a scanning engine developed by Trend Micro. The Japanese security firm’s own analysis showed that the version used in SiliVaccine was more than 10 years old and it had been used in a variety of its products.

“Trend Micro has never done business in or with North Korea. We are confident that any such usage of the module is entirely unlicensed and illegal, and we have seen no evidence that source code was involved,” Trend Micro said. “The scan engine version at issue is quite old and has been widely incorporated in commercial products from Trend Micro and third party security products through various OEM deals over the years, so the specific means by which it may have been obtained by the creators of SiliVaccine is unknown.”

Trend Micro has found evidence suggesting that its scan engine has been used in multiple versions of SiliVaccine. The company says it typically takes a strong stance against piracy, but initiating legal action would not help in this particular case, and it believes the use of its engine does not pose any risk to customers.

Check Point’s analysis revealed that SiliVaccine uses Trend Micro’s scan engine and the company’s pattern files to load malware signatures. However, the pattern files used by the North Korean antivirus are encrypted using a custom protocol and there are some differences in the engine itself, including the use of compiler optimization not present in the original software.

Another major difference is related to the fact that the SiliVaccine engine has been configured to not detect a particular signature. Researchers have not been able to find the file associated with that signature, but noted that the original Trend Micro scan engine does detect the threat.

According to experts, SiliVaccine was developed by a couple of organizations named PGI (Pyonyang Gwangmyong Information Technology) and STS Tech-Service, which appears to be linked to Japan through a couple of other companies. It’s worth noting that relations between Japan and North Korea are, as described by Wikipedia, “severely strained and marked by tension and hostility.”

Researchers also analyzed the patch file received by Williams in 2014 and determined that it delivers a first-stage dropper of the Jaku malware. A 2016 report on Jaku revealed that the malware had infected roughly 19,000 systems around the world. Experts discovered links to the Dark Hotel campaign, which, similar to Jaku, has been tied to North Korea.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...


A China-linked hackers are exploiting a vulnerability (CVE-2022-42475 ) in Fortinet FortiOS SSL-VPN, Mandiant claims.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.