Samples of SiliVaccine Deal Rare Peek Within North Korea’s Antivirus Software application

Two aged samples of North Korean antivirus software called SiliVaccine crib software code from a competitor and come loaded with malware and a backdoor.

The two SiliVaccine samples obtained by researchers at Check Point security offer unique insight into a secretive country and how it likely protects users from outside threats; and how the AV company behind SiliVaccine could spy on its users.

Check Point’s researchers began dissecting a version of SiliVaccine obtained by journalist Martyn Williams in 2014. That’s when Williams received a mysterious Dropbox download link to the software via email from a Japanese tipster identified only as “Kang Yong Hak.” The email account went dark soon after.

At the time, Williams detailed the functions of the software, which he identified as version 4.0 of SiliVaccine, that he said was published in 2002 by the software’s maker Pyonyang Gwangmyong Information Technology and STS Tech-Service.

Both intrigued and cautious by the rare North Korean AV software sample, Williams contacted a trusted British AV firm in 2014 who said the sample of SiliVaccine he received “didn’t appear to be malicious.”

Several weeks ago, Check Point re-examined the reporter’s 2014 sample and concluded that SiliVaccine’s antivirus engine code belongs to Japan-based Trend Micro. It also discovered the Jaku malware was bundled with the AV software’s installation files (as a patch) and that the software purposely ignored specific malicious code signatures – a security hole in the software that could allow an adversary to install malware without sounding any AV alarms.

“We believe that Williams himself was being targeted by North Korea,” said Check Point researcher Mark Lechtik in an interview with Threatpost. A full analysis of the SiliVaccine code is available on the Check Point blog.

It’s unclear if Williams was being singled out as a journalist and may have been targeted in a malware campaign to gain access his computer. Researchers said they believe that the sample Williams received was also part of a wider distribution, based on a second malware sample obtained by Check Point with the same snooping features and installation routine that planted Jaku malware on a target’s PC.

“We have managed to obtain another sample of a much older version of this software (from 2003) via a different (trusted) source,” Check Point told Threatpost. “From analyzing this version we can confirm that our conclusions are relevant for at least 2 versions of this software, with a difference of 10 years between one another, indicating it’s not a one-off. More importantly – it confirms we were not looking at a modified or fake version to begin with.”

Makers of Trend Micro also confirmed that the SiliVaccine software contained a decade-old version of its scan engine, VSAPI.

It’s unclear how the makers of SiliVaccine obtained the VSAPI scan engine code, however it’s theorized by Check Point that the publisher of the AV software (STS Tech-Service) previously worked in Japan with Silver Star and Magnolia. That company worked with a North Korean research entity known as the Korean Computer Center.

Trend Micro has emphasized that the use of the 10-year-old AV engine by SiliVaccine in no way jeopardizes the company’s current or legacy AV products.

It’s also unclear how tightly SiliVaccine is aligned with the Democratic People’s Republic of Korea (DPRK). Check Point noted, “the software itself contains metadata that puts PGI (a DPRK government entity) as one of the authors, while the other developer, STS Tech-Service, seems to also have strong ties to the government and the KCC (Korea computer Center).”

Another digital crumb was found by Check Point in its analysis of the Jaku malware’s electronic signature.

“Our investigation found though that the Jaku file was signed with a certificate issued to a certain ‘Ningbo Gaoxinqu zhidian Electric Power Technology Co., Ltd’, the same company that was used to sign files by another well-known APT group, ‘Dark Hotel’. Both JAKU and Dark Hotel are thought to be attributed to North Korean threat actors,” Check Point said.

Threatpost was unable to contact both Pyonyang Gwangmyong Information Technology and STS Tech-Service.