This unusual botnet targets scientists, engineers, and academics

The Jaku campaign performs a "highly targeted operation" to infect systems and carry out DDoS and phishing attacks, warn researchers from Forcepoint.
Written by Danny Palmer, Senior Writer

New malware campaign increases risk of phishing scams.

Image: iStock

A botnet and cyberattack campaign is infecting victims across the globe and appears to be tracking the actions of specially selected targets in sectors ranging from government to engineering.

Researchers from Forcepoint Security Labs have warned that the campaign it has dubbed 'Jaku' -- after a planet in the Star Wars universe because of references to the sci-fi saga in the malware code -- is different to and more sophisticated than many botnet campaigns.

Rather than indiscriminately infecting victims, this campaign is capable of performing "a separate, highly targeted operation" used to monitor members of international non-governmental organisations, engineering companies, academics, scientists and government employees, the researchers said.

The findings are set out in Forcepoint's report on Jaku, which outlines how of the estimated 19,000 unique victims, 42 percent are in South Korea and a further 31 percent in Japan. Both are countries are neighbours of North Korea. A further nine percent of Jaku victims are in China, six percent in the US, with the remainder spread across 130 other countries.

There are also no instances of Jaku targeting North Korean victims. "There are indicators that suggest that the author(s) of the malware identified are native Korean speakers," Forcepoint researchers said.

When attacking indiscriminately, Jaku infects the targeted system using malware which can be downloaded from a number of different sources -- including poisoned Bit Torrents of pirated anime films and fake PNG image files -- which once installed in the system, send messages home to a command and control system, and enable those behind it to gain access to additional machines and add it to the botnet network.

Researchers found that three quarters of systems infected with Jaku were running an unlicensed version of Microsoft Windows.

However, a much more targeted version of Jaku would apparently be required in order for hackers to target specially selected individuals, Andy Settle, head of special investigations at Forcepoint told ZDNet.

"The precision targeting would clearly require a more precise targeting tool than a BitTorrent. Email would be an obvious choice however, we are intentionally keeping an open mind on the targeting," he said.

"Because it is so highly targeted I would suspect that it is not beyond the realms of possibility that each victim had their own unique vector. One may be email, another 'evil maid' [where the attacker has the opportunity to physically access the victim's device] another a watering hole attack and so on," Settle added.

"There are thousands of victim computers that are sitting in waiting that can be used unwittingly to perform DDoS attacks, spear-phishing attacks, spam campaigns and other forms of organised crime behaviour," said Settle, who called on collaboration between the authorities and the private sector in order to help fight the Jaku botnet.

"Finding, tracking and shutting down attack modes and methodologies with such capabilities can be a formidable task. No single organisation can do it alone. It requires the close collaboration and intelligence-sharing activities of both private organisations and government agencies -- and Forcepoint has engaged with NCA, CERT-UK, Europol and Interpol on this investigation," he said.

Read more on cybercrime

Editorial standards