North Koreas AV Software Contains Pilfered Trend Micro Software

  /     /     /  
Publicated : 22/11/2024   Category : security


North Koreas AV Software Contains Pilfered Trend Micro Software


Researchers get hold of a copy of Kim Jong Un regimes mysterious internal SiliVaccine antivirus software, provided only to its citizens, and find a few surprises.



A rare hands-on analysis of the antivirus software that North Korea provides its citizens shows the proprietary tool is based on a 10-year-old version of Trend Micros AV scanning engine that also was customized to ignore a specific type of malware rather than flag it.
Researchers at Check Point today published new research from their
exclusive study of the so-called SiliVaccine AV program
that is used only inside the cloistered nation. North Korea blocks its citizens from the public Internet and runs its own intranet; only North Koreas ruling elite are
allowed access
to the global Internet.
Check Point obtained a sample of the malware from a freelance journalist specializing in North Korean technology who had received a suspicious email message with a link to the AV program. The researchers say its unclear just how North Korea got its hands on Trend Micros AV engine, but since Trend doesnt do business with North Korea, its most likely a case of stolen intellectual property.
Jon Clay, director of global threat communications at Trend Micro, told Dark Reading that the software was not stolen via a hack of Trend Micro systems. Rather, Trend Micro suspects its software was pirated somehow. We strongly believe this is a case of software piracy, in which our software is being used illegally. North Korea has been repackaging software for sale locally for years, including Adobe Reader in 2013, for example, he says.
This was not a data breach and no evidence suggests they are using stolen source code, he says. It appears they obtained a public version of our scan engine DLL and modified it.
What is clear is that the North Korean AV was built to appear as its own software. Every aspect was well-written and they had a lot to hide … the signatures are encrypted and the fields are protected, says MichaelKajiloti, malware research team leader at Trend Micro.
SiliVaccine uses Trend-Micro AV pattern files but renamed Trends malware signature names with names of its own, for example, and the Trend Micro engines identity is well-masked, according to Check Point.
They went the extra mile to hide the fact they stole intellectual property, says Mark Lechtik, one of the Check Point security researchers who studied SiliVaccine.
But Trend Micros Clay maintains that North Koreas SiliVaccine does not have access to Trend Micros AV signature updates, and that the AV program instead is using homegrown signatures of its own.
Malware Whitelist
SiliVaccine operates with another hidden twist: it whitelists a specific malware signature that Trend Micro identifies as MAL_NUCRP-5, which detects files that employ behavior patterns used in various types of malware, including fake antivirus installers and droppers, Check Point found. That may allow the North Korean government to run malware on its citizens machines without their knowledge, possibly for some type of surveillance, according to the researchers. Or the signature gives them the option to create any malware they want to target citizens and build it in such a way that the AV will never catch it, says Kajiloti.
Lechtik says Check Points team concluded that the development of SiliVaccine has been ongoing for several years. I highly doubt it was reverse-engineered, he says. We think its more likely that its much more a part of their getting access to the software, he says.
Check Point shared its findings with Trend Micro, which confirmed that the software uses a module based on an older version of its AV scanning engine from more than ten years ago - VSAPI Scan Engine 8.9x - and that no source code is included in the software. Trend believes its a case of software piracy, and that the fraudsters reverse-engineered the software as its own.
It appears that a compiled code library was illegally copied, repacked, and then wrapped with additional application code not originating from Trend Micro to build a normal AV scanning application called SiliVaccine, Trend Micros Clay says. The authors of the SiliVaccine product intentionally removed a specific heuristic detection in their products version of the pattern file.
In the end, there doesnt appear to be any risk to legitimate users of Trend Micros AV software since its such an old version, and SiliVaccine has its own encrypted files that cant be used by existing Trend Micro AV products. The result is that it would be impossible for a Trend Micro product to accidentally or even intentionally use a SiliVaccine modified pattern file since Trend Micro products perform pattern integrity checks, Clay says.
Clay says the incident suggests that North Korea has programmers with reverse-engineering skills. As such, any software vendor should be concerned that North Korea could do the same with their code.
It also indicates they didnt want to develop their own AV scanner: They needed an AV scanner and did not want to put in the time or effort to develop their own so they illegally obtained a publicly available scanner and modified it for their own use, Clay says.
Dark Hotel Clue
Journalist Martyn Williams in July 2014 received a sketchy email from a purported Japanese engineer with a news tip that included a Dropbox-hosted zip file with SiliVaccine software and a file posing as a patch for the AV program. The phony patch turned out to be a camouflaged piece of JAKU malware, which is a Trojan dropper which has been tied to DarkHotel, a North Korean cyber espionage group.
The JAKU file was also signed with a certificate from the same company that had also signed malware files for the Dark Hotel nation-state hacking group thought to be out of North Korea.
We cant really say the JAKU bundled in was part of SiliVaccine; it might be … but more likely Martyn [Williams] was the target here of a cyber espionage campaign, Lechtik says.
JAKU to date has infected 19,000 victims mostly via malicious BitTorrent share files. Its typically known for targeting and monitoring individuals in South Korea and Japan who work for non-governmental organizations, engineering firms, government, as well as academia.
Related Content:
North Korea Ramps Up Operation GhostSecret Cyber Espionage Campaign
North Korea-Linked Cyberattacks Spread Out of Control: Report
Lazarus Group Attacks Banks, Bitcoin Users in New Campaign
8 Nation-State Hacking Groups to Watch in 2018

Last News

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
North Koreas AV Software Contains Pilfered Trend Micro Software