In an exclusive piece of research, Check Point Researchers have carried out a revealing investigation into North Korea’s home-grown anti-virus software, SiliVaccine. One of the several interesting factors is that a key component of SiliVaccine’s code is a 10+-year-old copy of one of Trend Micro’s software components, a Japanese company.
A suspicious email:
This investigation began when the research team received a very rare sample of North Korea’s ‘SiliVaccine’ anti-virus software from Martyn Williams, a freelance journalist with a focus on North Korean technology. Mr Williams had himself received the software as a link in a suspicious email sent to him on July 8th, 2014, by someone going by the name of ‘Kang Yong Hak’. This sender’s mailbox has since been rendered unreachable.
The strange email sent by ‘Kang Yong Hak’, supposedly a Japanese engineer, contained a link to a Dropbox-hosted zip file that held a copy of the SiliVaccine software, a Korean language readme file instructing how to use the software and a suspicious looking file posing as an update patch for SiliVaccine.
Trend Micro’s scan engine:
After detailed forensic analysis of SiliVaccine’s engine files — the software component that provides the core file scanning capability of the anti-virus — the research team discovered exact matches of SiliVaccine and large chunks of 10+-year-old anti-virus engine code belonging to Trend Micro, a completely separate Japan-based provider of cybersecurity solutions. For this to happen, the developers who built SiliVaccine could have had access to a compiled library from any of Trend Micro’s commercially released products, or, theoretically, source code access.
Of course, the purpose of an anti-virus is to block all known malware signatures. However, a deeper investigation into SiliVaccine found that it was designed to overlook one particular signature, which ordinarily it would be expected to block, and which is blocked by the Trend Micro detection engine. While it is unclear what this signature actually is, what is clear is that the North Korean regime does not want to alert its users to it.
As for the supposed patch update file, this was found to be the JAKU malware. JAKU is a highly resilient botnet forming malware that has infected around 19,000 victims, primarily by malicious Bit Torrent file shares. The investigation found though that the JAKUfile was signed with a certificate issued to a certain ‘Ningbo Gaoxinquzhidian Electric Power Technology Co., Ltd’, the same company that was used to sign files by another well-known APT group, ‘Dark Hotel’. Both JAKU and Dark Hotel are thought to be attributed to North Korean threat actors.
The Japanese connection:
Japan and North Korea do not enjoy friendly political or diplomatic relations, which makes it strange that the initial email containing the copy of SiliVaccine appeared to have been sent by a Japanese national. However, the unlikely connection does not end there, as other connections with Japan were also found by researchers.
During the investigation, the discovered names of the companies that are thought to have authored SiliVaccine are PGI and STS Tech-Service.
Trend Micro is aware of the research by Check Point on the “SiliVaccine” North Korean anti-virus product, and Check Point has provided a copy of the software for verification.
This revealing exploration into SiliVaccine may well raise suspicions of authenticity and motives of the IT security products and operations of this Hermit Kingdom.
While attribution is always a difficult task in cybersecurity, there are many questions raised by our findings. What is clear, however, are the shady practices and questionable goals of SiliVaccine’s creators. The investigations point to yet another example of state-sponsored technologies being used in the fifth generation of the cyber threat landscape....