A newly discovered crypto-currency app that mines for the Bitcoin alternative Monero is designed to send any mined currency to a server on a domain at the Kim Il Sung University in Pyongyang, North Korea.
Researchers at AlienVault analyzed an Monero mining installer created on December 24 using tools previously connected with malware that harvested CPU power from vulnerable Windows IIS webservers to mine Monero.
US economic sanctions against North Korea are thought to have spurred North Korea’s interest in Bitcoin and other cryptocurrencies.
FireEye in September said it had observed spear-phishing attacks on three South Korean cryptocurrency exchanges in the months after the US announced sanctions in April. The US and UK have also accused North Korea of the WannaCry attack and collecting bitcoin ransom payments, which North Korea has denied.
The newly found installer and Monero mining kit could suggest the university is developing malware to use hardware from PCs outside of North Korea to send back to the country.
“Crypto-currencies could provide a financial lifeline to a country hit hard by sanctions. Therefore it’s not surprising that universities in North Korea have shown a clear interest in cryptocurrencies,” AlienVault researcher Chris Doman wrote.
The university hosted an Italian cryptocurrency expert last year who taught science and finance students about about blockchain technology and bitcoin, as NKNews.org reported in November.
Despite accusations that North Korea has stolen and mined bitcoin, it’s not certain the country is developing crypto-mining malware.
Doman noted that the address of the server that would receive mined Monero currently doesn’t resolve which means it can’t be used to send Monero to the authors. The use of a North Korean server could also be a “prank” simply to throw security researchers off course. There’s also the possibility the mining software is just a legitimate mining operation used knowingly by the hardware’s owners. Besides this, there are numerous foreign students at the university.
According to Doman, the mining application itself appears to be based on an open source mining application called xmrig. The installer instructs the miner to send mined Monero to a server at barjuok.ryongnamsan.edu.kp, which suggests it’s located at the Kim Il Sung University.
Though North Korean hacking group Lazarus have used Monero miners in previous attacks, AlienVault believe the “amateur” coding behind the installer suggest it is not the work of this group and more likely a university project.