About the Author
View more articles by Chad O'Carroll
Chad O'Carroll has written on North Korea since 2010 and writes between London and Seoul.
Correction at 1220 KST on 11/5: This article has been updated to provide further clarification on how ESTsecurity detected the malware.
Malicious code identified on Friday by Kaspersky Lab was also hosted in the source code of a North Korea-affiliated news website, South Korean cyber-threat organization ESTsecurity told NK News.
The attack script named “Operation WizardOpium“, which Kaspersky Lab described as a “waterhole-style injection on a Korean-language news portal”, was embedded in the Arirang Meari news website, the Seoul-based ESTsecurity told local media on November 2.
Arirang Maeri is the official China-based website of North Korea’s Arirang Association and is registered at the domain level by PRC-based Xinnet.
While Kaspersky Lab did not specify the Korean website hosting the malicious code, which experts say has the potential to wreak serious damage on a users’ computer, a Datanet.co.kr article quoted ESTsecurity’s Mun Chong Hyun as pointing to Arirang Meari as one host.
If Arirang Meari hosted the code, it would not be the first time a DPRK-linked website was hosting a malicious script: In 2015 it emerged that the official KCNA news agency website was infected with a malware Flash update.
The apparent exploit may have created major risks to visitors of the Arirang Meari website, a computer specialist told NK News.
“According to Kaspersky, this uses a vulnerability in Chrome and downloads and executes an executable (exe) file (on the users’ device),” said Tomasz Chmielewski of Virtall, a company specializing in IT and server administration.
The malicious code could theoretically “steal website logins/passwords and send them to a remote server, steal documents and send them to a remote server, access websites silently on behalf of the user,” or even “attack other computers in LAN or in the internet,” Chmielewski added.
“While the explained case would only work on Windows, technically, it could perhaps also work on Mac and Linux.”
CODE ABSENT AT ARIRANG
However, Chmielewski pointed out that as of Monday morning Korean time, the malicious code referenced by ESTsecurity could not be found in the Arirang Maeri website’s source code.
A cached version of the site dated October 23 did not contain the malicious code either.
“So possibly they’ve cleaned up their site already,” Chmielewski said, “or (the) malware doesn’t show up if visitors are from certain countries.”
Asked exactly when it had detected the malicious script on the Arirang Meari website, Mun of ESTsecurity told NK News on Monday that they had traced the attack to an archived version of the site dated October 30 – two days before Kaspersky first published details about it.
When they checked the website on November 2, the attack code was not present anymore, the company explained.
It’s not clear how ESTsecurity traced the malicious code before its existence was revealed by Kaspersky.
The domain host of the malicious script URL – behindcorona.com – was created only recently, on August 27, NK News analysis revealed.
The domain lists Kenneth Osborne of San Juan, Texas, as the owner. NK News attempted to contact Osborne via a provided Protonmail.com email address but has not yet received a response.
Featured image: lmonk72 (pixabay.com)