malware cryptomining

Malware mining Crypto & Sending to Korean University

As cryptocurrency has risen dramatically in popularity and value in recent years many shady actors have also looked to tap into the exploding market through browser-based cryptominers and North Korea cryptojacking famous websites.

Security researchers have discovered a software that mines cryptocurrency and then routes any mined coins to a university in Northern Korea.

According to researchers at the cybersecurity firm Alien Vault, the app deployed on Christmas Evening uses the infected host computers to mine Monero (a crypto which is preferred because it uses the CPU instead of GPU) and then sends over the mined digital currency to Kim Il Sung University in Pyongyang.

The discovery seems to highlight efforts by those in North Korea to find an alternative sources of income in a country squeezed by tighter international sanctions.

Researchers noted that the North Korean server used in the operations does not seem to be connected to the wider world wide web and could have been set up to trick security researchers into believing that the funds are being channeled to the isolated kingdom.

Researchers added that if the developer behind the installer/app is indeed at the university, they may not be North Korean since KSU has a number of foreign students and lecturers as well.

Security researchers have also observed North Korea hackers intensely targeting South Korean cryptocurrency exchanges in the years prior.

AlienVault researchers said it is  not likely that the new cryptomining attack is linked to earlier advanced attacks by high level North Korean hackers such as the “Lazarus group”.

Given that North Korea has very few IP addresses assigned to it, AlienVault observed that the one IP address – – has been fairly active on Bitcoin trading sites. The address has also been used in previous cyberattacks targeting South Korean telecommunications, political and financial institutions.

“This IP address is notorious. It was used to control compromised web-servers in a set of 2014/2015 attacks linked to N. Korea known as BlackMine,”  said researchers. “Given the few number of IP addresses assigned to North Korea it’s probably just a coincidental link.”


CryptoBuzz News Network

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.