The malware—deployed on Christmas Eve—instructs an infected computer to mine for Monero, a bitcoin alternative, according to a report released Monday by AlienVault, a U.S. cybersecurity firm. Monero describes itself on its website as a “secure, private and untraceable” form of cryptocurrency where users’ accounts and transactions are shielded from “prying eyes.”
The unearthed funds then automatically flow to a server domain at Kim Il Sung University where to access the funds the hacker would enter a three-letter password: KJU, a likely reference to North Korean leader Kim Jong Un.
It is unclear where the virus was planted or how much Monero was extracted, said Chris Doman, an AlienVault threat engineer who identified the malware from a database of computer viruses amassed by VirusTotal, a subsidiary of Alphabet Inc.’s Google. Because only large organizations automatically upload lots of files to VirusTotal, the malware was likely spotted at a big company, Mr. Doman said, though he is unable to determine how many computers were affected—or if the attack continues.
The Monero community, in a Monday statement from several prominent members, said millions of users “trust Monero to be that currency to conduct safe, private transactions.” But “no currency, digital or fiat, is immune to criminal malfeasance,” according to the statement.
The coding is rudimentary, suggesting more a student project than the work of North Korea’s elite hacking unit known as Lazarus. The malware’s creators hid certain files, suggesting the software wasn’t accidental or a prank, Mr. Doman said.
For instance, the malware installs the Monero miner in a folder that is part of the Microsoft Windows operating system, a typical maneuver for illegitimate software. And it installs with the file name “intelservice.exe,” in an attempt to induce a user to confuse it with a product from Intel Corp. , Mr. Doman said.
“There is some type of subterfuge going on,” Mr. Doman said.
Though direct links with the regime or Lazarus couldn’t be proved, the Monero-mining malware serves as another example of North Korea’s interest in cryptocurrencies, as the rogue nation seeks ways to raise money to offset the effects of tightened economic sanctions. North Korean hackers are suspected of a heist last month of a Seoul-based cryptocurrency exchange, The Wall Street Journal reported in December. That incident followed the WannaCry ransomware attack, which locked digital files and demanded bitcoin payment for their release. North Korea has denied involvement in hacking attacks.
Mr. Kim, the North Korean leader, is believed to have studied at Kim Il Sung University, which is named after his grandfather, the founder of North Korea. The current leader’s father, former dictator Kim Jong Il, attended the university in the 1960s. The university couldn’t be reached for comment about the AlienVault hacking report.
Pyongyang’s hackers in recent months have specifically targeted Monero, cybersecurity researchers say, hunting for the cryptocurrency on compromised banking and private-company servers. Internet usage and computer access is limited in North Korea, pushing the regime’s cryptocurrency-mining endeavors overseas.
‘There is some type of subterfuge going on.’
Electronic “mining” is how new units of cryptocurrency, including bitcoin, are released into the world. It requires lots of computing power to generate special numbers that bestow the miner with new coins, but as bitcoin’s value rises, more miners are competing for a finite amount of coins. Hardware and electricity costs can offset income as new bitcoins become scarcer, which is why Mr. Doman said Monero mining tends to be more profitable than bitcoin.
“So running [the Monero-mining software] on someone else’s computer means you don’t have any costs, only profit,” Mr. Doman said.
Bitcoin’s value has risen about 1,600% from a year-ago price of $911.20, according to the tracking site Coinmarketcap.com, while Monero has gained some 2,800% from a year-ago value of $13.47.