In an exclusive piece of research, Check Point Researchers have carried out a revealing investigation into North Korea’s home-grown anti-virus software, SiliVaccine. One of the several interesting factors is that a key component of SiliVaccine’s code is a 10+-year-old copy of one of Trend Micro’s software components, a Japanese company.
A Suspicious Email
This investigation began when our research team received a very rare sample of North Korea’s ‘SiliVaccine’ anti-virus software from Martyn Williams, a freelance journalist with a focus on North Korean technology. Mr. Williams had himself received the software as a link in a suspicious email sent to him on July 8th 2014, by someone going by the name of ‘Kang Yong Hak’. This sender’s mailbox has since been rendered unreachable.
The strange email sent by ‘Kang Yong Hak’, supposedly a Japanese engineer, contained a link to a Dropbox-hosted zip file that held a copy of the SiliVaccine software, a Korean language readme file instructing how to use the software and a suspicious looking file posing as an update patch for SiliVaccine.
Trend Micro’s Scan Engine
After detailed forensic analysis of SiliVaccine’s engine files – the software component that provides the core file scanning capability of the anti-virus – our research team discovered exact matches of SiliVaccine and large chunks of 10+-year-old anti-virus engine code belonging to Trend Micro, a completely separate Japan-based provider of cybersecurity solutions. For this to happen, the developers who built SiliVaccine could have had access to a compiled library from any of Trend Micro’s commercially released products, or, theoretically, source code access.
Of course, the purpose of an anti-virus is to block all known malware signatures. However, a deeper investigation into SiliVaccine found that it was designed to overlook one particular signature, which ordinarily it would be expected to block, and which is blocked by the Trend Micro detection engine. While it is unclear what this signature actually is, what is clear is that the North Korean regime does not want to alert its users to it.
As for the supposed patch update file, this was found to be the JAKU malware. This was not necessarily part of the anti-virus but could have been included in the zip file as a way to target journalists such as Mr. Williams.
In brief, JAKU is a highly resilient botnet forming malware that has infected around 19,000 victims, primarily by malicious Bit Torrent file shares. It has however been seen to target and track more specific individual victims in both South Korea and Japan, including members of International Non-Governmental Organizations (NGOs), engineering companies, academics, scientists and government employees.
Our investigation found though that the JAKUfile was signed with a certificate issued to a certain ‘Ningbo Gaoxinquzhidian Electric Power Technology Co., Ltd’, the same company that was used to sign files by another well-known APT group, ‘Dark Hotel’. Both JAKU and Dark Hotel are thought to be attributed to North Korean threat actors.
The Japanese Connection
Japan and North Korea do not enjoy friendly political or diplomatic relations, which makes it strange that the initial email containing the copy of SiliVaccine appeared to have been sent by a Japanese national. However the unlikely connection does not end there, as other connections with Japan were also found by our researchers.
During our investigation, we discovered the names of the companies that are thought to have authored SiliVaccine, PGI (Pyonyang Gwangmyong Information Technology) and STS Tech-Service.
STS Tech-Service is known to have worked with other companies, including ‘Silver Star’ and ‘Magnolia’, both of which are based in Japan and have had previous cooperation with the KCC (Korea Computer Center), a North Korean government entity.
Trend Micro’s Response
Our team reached out to notify Trend Micro of their detection engine being used in SiliVaccine, who responded promptly and were highly cooperative. Their response was as follows:
“Trend Micro is aware of the research by Check Point on the “SiliVaccine” North Korean anti-virus product, and Check Point has provided us with a copy of the software for verification. While we are unable to confirm the source or authenticity of that copy, it apparently incorporates a module based on a 10+ year-old version of the widely distributed Trend Micro scan engine used by a variety of our products. Trend Micro has never done business in or with North Korea. We are confident that any such usage of the module is entirely unlicensed and illegal, and we have seen no evidence that source code was involved. The scan engine version at issue is quite old and has been widely incorporated in commercial products from Trend Micro and third party security products through various OEM deals over the years, so the specific means by which it may have been obtained by the creators of SiliVaccine is unknown. Trend Micro takes a strong stance against software piracy, however legal recourse in this case would not be productive. We do not believe that the infringing use at issue poses any material risk to our customers.”
Trend Micro’s indication that a widely licensed library was misappropriated may be behind SiliVaccine’s use of a 10+ year-old version of their scan engine is backed up by an additional analysis our team made of an older version of SiliVaccine, too. This suggests that this is not a one-time occurrence.
This revealing exploration into SiliVaccine may well raise suspicions of authenticity and motives of the IT security products and operations of this Hermit Kingdom.
While attribution is always a difficult task in cyber security, there are many questions raised by our findings. What is clear, however, are the shady practices and questionable goals of SiliVaccine’s creators. Our investigations point to yet another example of state-sponsored technologies being used in the fifth generation of the cyber threat landscape.