According to a report by the American cybersecurity firm AlienVault, the software hides itself among legitimate files and programs, and uses the computer in which its embedded itself to mine the cryptocurrency Monero. The mined coins are then sent on to a server based at Kim Il Sung University in Pyongyang.

The malware – which installs itself as intelservice.exe in what is likely an attempt to hide among legitimate products from Intel Corp – was identified by AlienVault through a database of computer viruses put together by the Google subsidiary VirusTotal. Cryptocurrency mining needs a lot of operating power resulting in mounting electricity bills, which is why hackers often try to reassign the task to a network of compromised PC’s under their control.

“So running [the cryptocurrency-mining software] on someone else’s computer means you don’t have any costs, only profit,” Chris Doman, the AlienVault threat engineer who identified the virus, told the Wall Street Journal. Faced with severe international sanctions, some analysts have suggested that Pyongyang may be looking at unorthodox ways to raise capital.

Last year, North Korea was accused of a series of online heists on banks and bitcoin exchanges in South Korea and Taiwan. But the rather primitive level of programming found in the code led AlienVault’s experts to suspect it was more of an amateur effort rather than something tied to the North Korean government.

“Given the amateur usage of Visual Basic programming in the Installer we analyzed, it’s unlikely the author is part of Lazarus [a group of hackers linked to the government],” AlienVault’s report read. “As the mining server is located in a university, we may be looking at a university project.” However, the university’s server doesn’t seem to be connected to the wider internet, so the final destination of the coins could be another server and that this is just a ruse to trick security experts. Read more from…

thumbnail courtesy of