A security researcher examining the website of North Korea's official news service, the Korean Central News Agency, has discovered that the site delivers more than just the latest photo spread of Democratic Peoples' Republic of Korea leader Kim Jong Un inspecting mushroom farms. There's a little extra surprise hidden in the site's code—malware. The news site appears to double as a way for North Korea to deliver a "watering hole" attack against individuals who want to keep tabs on the "activities" of the DPRK's dear leader.

Ars has independently verified a reference within part of the site's JavaScript code called from the home page to a download named "FlashPlayer10.zip." The file, which is set as a JavaScript variable "FlashPlayer" on the site's main page and on other site pages, contains two files labeled as Windows executable installers containing updates for the long-since obsolete Flash Player 10—one for an alleged ActiveX control, and the other for a browser plug in. Both are identical files, and they contain a well-known Windows malware dropper, based on an analysis through the malware screening site Virustotal.





Given the names of the files and their suggested vintage, the droppers have been on the site for some time—according to the date stamp on the files within the ZIP file, they were created in December of 2012. That's similar to much of the rest of the code on the site. A JavaScript used to check Flash versions supported by visitors' browsers had an Adobe copyright from 2007, and it still checks for WebTV clients. The site uses jQuery version 1.7, released in 2011, to pull up photos and story content. Comments on JavaScript code written by the KCNA's own developers shows it's been over two years since the newest components of the site's JavaScript were touched, and there are a number of "to do" comments that indicate some features have been left waiting for some time.

Just where the file gets dropped by the website is not clear, however. A review of the site code by Ars found that while the dropper file is named in the code of all the site's pages, and exists on the site itself in a folder called "downloads," it appears there's no code on the pages that calls for the variable that holds the file's location. However, the site has a significant amount of Ajax and jQuery-based dynamic code, some of which could be used to call the variable to launch the download for specific cases—for example, from specific stories in KCNA's home-grown content management system for site visitors with specific browsers.

Ironically, a good percentage of the dynamic content on the KCNA site is delivered via code called from a directory called "siteFiles/exploit," and one of the header files used by the site's homepage is called "kcna.user.exploit.exploit.kcmsf" (kcmsf being the site's custom file extension). This may be a translation issue, as the researcher who blogs as InfoSecOtter suggested. The Korean word gaebalhada (개발하다) is a verb which translates as "exploit" or "develop." Of course, it could also be just some incredible amount of honesty by North Korean Web developers about what the KCNA's website is really supposed to do.