Jaku botnet runs targeted attack behind sandstorm of routine malfeasance

ATP via ‘aggregated threat’


Security researchers have spotted an on-going global botnet campaign seemingly linked to North Korea.

The Jaku botnet has an unusual split personality. On the surface it’s spreading en masse through pirated software (warez) or poisoned BitTorrent trackers to notch up around 17,000 victims at any one time.

However, a six month investigation by Forcepoint Security Labs has revealed that on closer inspection, it “targets and tracks a small number of specific individuals”.

These individuals include members of International Non-Governmental Organisations (NGOs), engineering companies, academics, scientists and government employees.

“The victims are spread all over the globe, but a significant number of victims are in South Korea and Japan,” Forecepoint reports.

The security firm describes Jaku as a “multi-stage tracking and data exfiltration malware”. These “narrow, highly-targeted attacks on individual victims, seeking to harvest sensitive files, profile end-users and gather valuable machine information” take place behind a smokescreen of routine mass-market malfeasance.

Forcepoint has determined that the botnet command and control (C2) servers it's identified are also located in the APAC region, including Singapore, Malaysia and Thailand. The hackers appear to be native Korean speakers. All this, circumstantially, points to North Korea or less probably Chinese hackers posing as Pyongyang.

This is El Reg inference rather than Forcepoint’s.

Attribution is notoriously difficult in cyberspace, as best evidenced by the Sony Picture assault, now widely regarded as the work of the NORKS following months of doubt and speculation. It’s safer to say that Jaku represents an evolution in cyber-tradecraft.

It demonstrates the re-use of infrastructure and TTP [tactics, techniques, and procedures] and exhibits a split personality. JAKU herds victims en masse and conducts highly targeted attacks on specific victims through the execution of concurrent operational campaigns. The outcome is data leakage of machine information, end-user profiling and incorporation into larger attack data sets.

Forcepoint said it had coordinated with various law enforcement agencies throughout the investigation, which began in October 2015. Its customer have been protected since then. More details on the malware can be found in a white paper from Forecpoint here (pdf) (main findings summarised in an infographic here). ®

Bootnote

Jaku is named after the harsh desert planet in Star Wars: The Force Awakens for reasons not immediately apparent to El Reg’s security desk, at least. ®

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading
  • EnemyBot malware adds enterprise flaws to exploit arsenal
    Fast-evolving botnet targets critical VMware, F5 BIG-IP bugs, we're told

    The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

    What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

    The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

    Continue reading
  • Cloud services proving handy for cybercriminals, SANS Institute warns
    Flying horses, gonna pwn me away...

    RSA Conference Living off the land is so 2021. These days, cybercriminals are living off the cloud, according to Katie Nickels, director of intelligence for Red Canary and a SANS Certified Instructor.

    "It's not enough to pay attention to the operating systems, the endpoints, said Nickels, speaking on a SANS Institute panel about the most dangerous new attack techniques at RSA Conference. "Adversaries, a lot of their intrusions, are using cloud services of different types."  

    And yes, living off the land (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on corporations and other nefarious activities, isn't a new type of attack, Nickels admitted. "But what's new here is the levels to which using cloud services [for cyberattacks] has risen." 

    Continue reading
  • Cops' Killer Bee stings credential-stealing scammer
    Fraudster and two alleged accomplices nabbed in joint op

    An Interpol-led operation code-named Killer Bee has led to the arrest and conviction of a Nigerian man who was said to have used a remote access trojan (RAT) to reroute financial transactions and steal corporate credentials. Two suspected accomplices were also nabbed.

    The trio, aged between 31 and 38, were detained as part of a sting operation involving law enforcement agencies across 11 countries: Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nigeria, Philippines, Singapore, Thailand, and Vietnam. 

    The suspects were arrested in the Lagos suburb of Ajegunle and in Benin City, Nigeria. At the time of their arrests, all three men were in possession of fake documents, including fraudulent invoices and forged official letters, it is claimed.

    Continue reading
  • FBI, CISA: Don't get caught in Karakurt's extortion web
    Is this gang some sort of Conti side hustle? The answer may be yes

    The Feds have warned organizations about a lesser-known extortion gang Karakurt, which demands ransoms as high as $13 million and, some cybersecurity folks say, may be linked to the notorious Conti crew.

    In a joint advisory [PDF] this week, the FBI, CISA and US Treasury Department outlined technical details about how Karakurt operates, along with actions to take, indicators of compromise, and sample ransom notes. Here's a snippet:

    Continue reading

Biting the hand that feeds IT © 1998–2022