Trend Micro Scan Engine Used by North Korea's SiliVaccine Antivirus
Researchers have analyzed an older version of North Korea's SiliVaccine antivirus and discovered that it uses an outdated scanning engine from Japanese security solutions provider Trend Micro. Obtaining SiliVaccine is not an easy task, but a copy of the software was sent back in 2014 to Martyn Williams, a journalist specializing in North Korean technology. Williams published a review of the antivirus in September 2014.
The journalist recently provided a copy of the software to researchers at Check Point, who made a series of interesting discoveries. Williams received a copy of SiliVaccine via email from an individual claiming to be a Japanese engineer named Kang Yong Hak, who provided the antivirus to the journalist along with what appeared to be a patch.
Check Point's analysis of SiliVaccine revealed that the antivirus - apparently a version from 2013 - relied on a scanning engine developed by Trend Micro. The Japanese security firm's own analysis showed that the version used in SiliVaccine was more than 10 years old and it had been used in a variety of its products. "Trend Micro has never done business in or with North Korea.
We are confident that any such usage of the module is entirely unlicensed and illegal, and we have seen no evidence that source code was involved," Trend Micro said. "The scan engine version at issue is quite old and has been widely incorporated in commercial products from Trend Micro and third party security products through various OEM deals over the years, so the specific means by which it may have been obtained by the creators of SiliVaccine is unknown." Trend Micro has found evidence suggesting that its scan engine has been used in multiple versions of SiliVaccine. The company says it typically takes a strong stance against piracy, but initiating legal action would not help in this particular case, and it believes the use of its engine does not pose any risk to customers.
Check Point's analysis revealed that SiliVaccine uses Trend Micro's scan engine and the company's pattern files to load malware signatures. However, the pattern files used by the North Korean antivirus are encrypted using a custom protocol and there are some differences in the engine itself, including the use of compiler optimization not present in the original software. Another major difference is related to the fact that the SiliVaccine engine has been configured to not detect a particular signature.
Researchers have not been able to find the file associated with that signature, but noted that the original Trend Micro scan engine does detect the threat. According to experts, SiliVaccine was developed by a couple of organizations named PGI (Pyonyang Gwangmyong Information Technology) and STS Tech-Service, which appears to be linked to Japan through a couple of other companies. It's worth noting that relations between Japan and North Korea are, as described by Wikipedia, "severely strained and marked by tension and hostility."
Researchers also analyzed the patch file received by Williams in 2014 and determined that it delivers a first-stage dropper of the Jaku malware.
A 2016 report on Jaku revealed that the malware had infected roughly 19,000 systems around the world.
Experts discovered links to the Dark Hotel campaign, which, similar to Jaku, has been tied to North Korea.