Security researchers have spotted an on-going global botnet campaign seemingly linked to North Korea.

The Jaku botnet has an unusual split personality. On the surface it’s spreading en masse through pirated software (warez) or poisoned BitTorrent trackers to notch up around 17,000 victims at any one time.

However, a six month investigation by Forcepoint Security Labs has revealed that on closer inspection, it “targets and tracks a small number of specific individuals”.

These individuals include members of International Non-Governmental Organisations (NGOs), engineering companies, academics, scientists and government employees.

“The victims are spread all over the globe, but a significant number of victims are in South Korea and Japan,” Forecepoint reports.

The security firm describes Jaku as a “multi-stage tracking and data exfiltration malware”. These “narrow, highly-targeted attacks on individual victims, seeking to harvest sensitive files, profile end-users and gather valuable machine information” take place behind a smokescreen of routine mass-market malfeasance.

Forcepoint has determined that the botnet command and control (C2) servers it's identified are also located in the APAC region, including Singapore, Malaysia and Thailand. The hackers appear to be native Korean speakers. All this, circumstantially, points to North Korea or less probably Chinese hackers posing as Pyongyang.

This is El Reg inference rather than Forcepoint’s.

Attribution is notoriously difficult in cyberspace, as best evidenced by the Sony Picture assault, now widely regarded as the work of the NORKS following months of doubt and speculation. It’s safer to say that Jaku represents an evolution in cyber-tradecraft.

It demonstrates the re-use of infrastructure and TTP [tactics, techniques, and procedures] and exhibits a split personality. JAKU herds victims en masse and conducts highly targeted attacks on specific victims through the execution of concurrent operational campaigns. The outcome is data leakage of machine information, end-user profiling and incorporation into larger attack data sets.

Forcepoint said it had coordinated with various law enforcement agencies throughout the investigation, which began in October 2015. Its customer have been protected since then. More details on the malware can be found in a white paper from Forecpoint here (pdf) (main findings summarised in an infographic here). ®

Bootnote

Jaku is named after the harsh desert planet in Star Wars: The Force Awakens for reasons not immediately apparent to El Reg’s security desk, at least. ®