A few years ago, a freelance journalist, who specializes in North Korean technology, was mailed a sample of SiliVaccine, North Korea’s own antivirus software. It arrived as a link in a suspicious email. Several years later, the story lives on–and gets more curious. It turns out that that software is a very close replica of Trend Micro’s antivirus software, with exact matches of large chunks of code. And that’s just part of the mystery.
The sample software found its way to the journalist, Martyn Williams, via an email sent by ‘Kang Yong Hak,’ purportedly a Japanese engineer, according to Check Point researchers. The email contained a link to a Dropbox-hosted zip file that held a copy of the SiliVaccine software, along with a Korean language readme file instructing how to use the software and a file posing as a patch for SiliVaccine.
Williams shared the sample with Check Point researchers, who made some interesting discoveries.
After finding that SiliVaccine used some of the exact same code as Trend Micro’s antivirus, the researchers noticed it was designed to overlook one particular signature, which Trend Micro’s detection engine does block.
In addition, the ‘patch’ that was bundled with SiliVaccine turned out to be JAKU malware, a highly resilient botnet-forming malware. Check Point researchers say that JAKU has targeted and tracked individual victims in South Korea and Japan at international non-governmental organizations (NGOs) and engineering companies, as well as academics, scientists, and government employees.
Trend Micro says North Korea’s version of its product is based on a version of its Trend Micro VSAPI scan engine, which is at least 10 years old. The company also adds, “Trend Micro has never done business in or with North Korea, and is confident that any such usage is entirely unlicensed.”
Michael Kajiloti, one of the researchers, told SC Magazine, “The authors of ‘SiliVaccine’ must have had access to Trend Micro proprietary resources and components over the course of many years, this is not a one-off leak. We have two different versions of ‘SiliVaccine’ almost a decade apart, both with proprietary Trend Micro code.”
It’s an interesting case, stemming from a country that limits access to the global internet to a select few, requiring special authorization.
Get the full story at the Check Point blog.