North Korea's Red Star Linux inserts sneaky serial content tracker

Hermit Kingdom activists can feel more secure with Open Office


ERNW security analyst Florian Grunow says North Korea's Red Star Linux operating system is tracking users by tagging content with unique hidden tags.

The operating system, developed from 2002 as a replacement for Windows XP, was relaunched with a Mac-like interface in 2013's version three. The newest version emerged in January 2015.

Grunow says files including Microsoft Word documents and JPEG images connected to but not necessarily executed in Red Star will have a tag introduced into its code that includes a number based on hardware serial numbers.

"When analysing the OS the first thing that came to our attention is that they have built an own kernel module named rtscan. There is a binary running that is named opprc and a few more binaries, one that seems to simulate/pretend to be some kind of 'virus scanner' and seems to share some code base with opprc," Grunow says.

"The first thing that came to our attention when looking at the functions in the binary was gpsWatermarkingInformation.

"Creating and using media files and documents on RedStar OS can get you into trouble if you are living in North Korea; do not assume that the files can be kept private and cannot be traced back to the creator."

Grunow says the operating system does not watermark files created with the open source OpenOffice word processing suite.

A probe of the gpsWatermarkingInformation function shows it would watermark documents, images, and even audio that had been run on the operating system.

The research is the latest examination of Red Star since the disclosure of operating system vulnerabilities in January. The operating system has continue to intrigue sectors of the security industry since it was documented publicly in 2010.

The KDE 3 based operating system sports an OS X -like interface with a modified Mozilla Firefox browser dubbed Naenara which allows users to peruse the nation's 'Kwangmyong' intranet. ®

Similar topics

Broader topics


Other stories you might like

  • We blocked North Korea's Chrome exploit, says Google
    Fake Oracle and Disney job ads to lure victims is certainly an interesting choice

    Google on Thursday described how it apparently caught and thwarted North Korea's efforts to exploit a remote code execution vulnerability in Chrome.

    The security flaw was spotted being abused in the wild on February 10, according to Googler Adam Weidemann, and there was evidence it was exploited as early as January 4. The web giant patched the bug on February 14. Exploiting the bug clears the way to compromise a victim's browser and potentially take over their computer to spy on them.

    We're told two North Korean government teams used the vulnerability to target organizations in the worlds of news media, IT and internet infrastructure, cryptocurrencies, and fintech in America, though it is possible there were other industries and countries in the groups' sights.

    Continue reading
  • North Korea says it's launched a third hypersonic missile, this time reaching Mach 10
    South Korea piqued as FAA grounds west coast aircraft

    North Korean state-sponsored media has said it launched a third hypersonic missile on Tuesday, hitting a target at sea 1,000km (621 miles) away. According to news agency KCNA, President Kim Jong Un attended the test-fire.

    "Toward daybreak, the Juche weapon representing the power of the DPRK roared to soar into sky, brightening the dawning sky and leaving behind it a column of fire, under the supervision of Kim Jong Un," reported KCNA's Pyongyang Times.

    The publication claimed the hypersonic missile programme is an effort to bolster the country's war deterrent and this test-fire was a final verification of weapon system's technical specifications. The news outlet said the missile "made glide jump flight from 600km area before making a 240km corkscrew manoeuvring from the initial launch azimuth to the target azimuth" with "superior manoeuvrability."

    Continue reading
  • North Korea worried a lot of countries when it said it test-fired a hypersonic missile in Japan's direction
    South Korea thinks they just went ballistic

    North Korean state media announced Wednesday that the country has completed its second reported hypersonic weapons test.

    Korean Central News Agency (KCNA) said: "The test launches in the hypersonic missile sector have strategic significance in that they hasten a task for modernizing strategic armed force of the state."

    According to the media outlet, the test reconfirmed the missile's flight control, stability in active-flight stage, assessed the performance of a new lateral movement technique on the detached warhead, and checked the fuel system in winter weather conditions. KCNA also said the detached gliding warhead made a 120km (75 miles) lateral movement and hit a target 700km (430 miles) away.

    Continue reading
  • Ethereum dev admits helping North Korea mine crypto-bucks, faces 20 years jail
    Also advised on how smart contracts could help DPRK in US nuke talks

    A US citizen has admitted to helping the Democratic People's Republic of Korea (DPRK) to establish cryptocurrency capabilities and faces up to 20 years jail for his actions.

    The Department of Justice (DoJ) on Monday revealed that Ethereum developer Virgil Griffith, a resident of Singapore, hatched plans in 2018 to help an individual in the hermit kingdom mine cryptocurrency.

    In 2019 Griffith visited North Korea and spoke at a local cryptocurrency conference. The DoJ alleges Griffith and his co-conspirators "provided instruction on how the DPRK could use blockchain and cryptocurrency technology to launder money and evade sanctions," and "how blockchain technology such as 'smart contracts' could be used to benefit the DPRK, including in nuclear weapons negotiations with the United States."

    Continue reading

Biting the hand that feeds IT © 1998–2022