A North Korean cryptominer is raising questions as to whether it is an educational tool or a prototype to carry out silent attacks on unsuspecting CPUs.
AlienVault researchers identified a mysterious cryptocurrency miner sending any mined currency to Kim Il Sung University in Pyongyang, North Korea.
The Monero miner was spotted in an application compiled Christmas Eve 2017 and researchers said it was unclear whether or not the Monero miner was part of a legitimate mining operation where the owners of the hardware knew they were mining.
The sample contains obvious messages printed for debugging that an attacker would avoid but also includes fake filenames that appear to be an attempt to avoid detection of the installed mining software.
This wouldn't be the first time Monero mining was linked to North Korean hackers. In April 2017 Lazarus group hackers mined the currency on compromised servers during an attempted theft at a bank and later that year a faction of the group known as Andariel mined the currency on the network of a South Korean firm.
“Given the amateur usage of Visual Basic programming in the Installer we analysed, it's unlikely the author is part of Lazarus,” researchers said in the report. “As the mining server is located in a university, we may be looking at a university project.”
The university is known to have invited foreign experts to speak on cryptocurrencies which leads researchers to believe the miner may be one of the universities' latest endeavours.
It's also possible that the cryptominer's author is a foreign student or lecturer at the university as researchers said the author of two related samples is likely from Morocco, based on the compilation string, initial upload location and French text. This is another likely scenario unless all three samples were a prank by Moroccan hackers, researchers said.