North Korea's SiliVaccine antivirus contains stolen Trend Micro engine

The antivirus software utilizes ancient coding stolen from a competitor as well as malware bundles.
Written by Charlie Osborne, Contributing Writer

North Korea's state antivirus software contains code taken from a decade-old version of Trend Micro software alongside the Jaku malware.

Dubbed SiliVaccine, Check Point researchers said on Tuesday that the antivirus software is made from bulk code stolen from Trend Micro.

While the Japanese firm is well-respected as an antivirus solutions provider, North Korea had no problems with stealing the code from its competitor -- albeit that the code is from a Trend Micro product which is roughly ten years old.

Martyn Williams, a journalist with a specialization in North Korean technology, was the starting point of Check Point's research into the antivirus software.

North Korea, colloquially known as the Hermit Kingdom, has closed borders and information relating to the country's technology is notoriously rare.

However, on 8 July 2014, Williams received an email from "Kang Yong Hak" which contained the SiliVaccine software sent as a link.

The suspicious email address apparently sent from someone claiming to be a Japanese engineer -- now rendered inaccessible -- included a Dropbox-hosted link to the software, a ReadMe instructions file, and another file posing as a SiliVaccine patch.

Analysis of the software revealed large swathes of antivirus VSAPI engine code belonging to Trend Micro.

However, this code had been tampered with to ignore one particular signature that the engine, no matter its age, would otherwise block.

"While it is unclear what this signature actually is, what is clear is that the North Korean regime does not want to alert its users to it," Trend Micro says.

Included in the "antivirus" software was another bundle containing the Jaku malware. Jaku is malware which enslaves systems in a botnet, primarily through malicious BitTorrent downloads.

Forcepoint researchers say that targets share the common theme of North Korea and its capital, Pyongyang, and the malware has been used to target thousands of individuals relating to NGOs, engineering, academia, science, and government bodies.

It is possible that SiliVaccine was directly sent to Williams due to his position as a journalist reporting on North Korea.

Jaku was signed with a certificate issued by Ningbo Gaoxinqu zhidian Electric Power Technology Co., Ltd, which has also been used to sign certificates for malware used by DarkHotel, an advanced persistent threat group (APT) connected to both North Korea and attacks against luxury hotels.

See also: North Korea carried out the WannaCry ransomware attack, say security services

Trend Micro's investigation led the research team to Pyongyang Gwangmyong Information Technology and STS Tech-Service, companies believed to have engineered SiliVaccine.

It was possible that the file sent to the journalist was fake or a one-off. However, speaking to Threatpost, the company said that an even older sample has been obtained.

This version, dated back to 2003, has verified that the code theft -- and malware bundle -- appear to be genuine for at least two versions of SiliVaccine.

"While attribution is always a difficult task in cybersecurity, there are many questions raised by our findings," the researchers say. "What is clear, however, are the shady practices and questionable goals of SiliVaccine's creators and backers."

10 things you didn't know about the Dark Web

Previous and related coverage

Editorial standards