analysis of a botnet campaign jaku - forcepoint€¦ · analysis of a botnet campaign jaku is the...
TRANSCRIPT
MALAYSIA,THAILAND &SINGAPORE
LOCATION OF COMMAND
AND CONTROL SERVERS:
MALWARE TYPE:
MULTI-STAGETRACKING AND DATA
EXFILTRATIONMALWARE
FORWARD WITHOUT FEAR©2016 Forcepoint LLC. All rights reserved.Forcepoint™ is a trademark of Forcepoint LLC.
134NUMBER OF COUNTRIESWITH JAKU
VICTIMS
19kNUMBER OF UNIQUE VICTIMS
6MONTHS
LENGTH OF INVESTIGATION
TO DATE:
JAKU
CRYPTOGRAPHY, STEGANOGRAPHY,FAKE FILE TYPES,STEALTH INJECTION, ANTI-VIRUSENGINE DETECTION (AND OTHERS)
EVASION TECHNIQUES USED:
EXPOSURE TO COMPROMISEDBITTORRENT SITES, USE OFUNLICENSED SOFTWARE &DOWNLOADING OF WAREZSOFTWARE
PAYLOADS ARE DELIVERED VIA:
GLOBAL(SIGNIFICANT CLUSTERING IN JAPAN, SOUTH KOREA & CHINA)
LOCATION OF VICTIMS:
SOUTHKOREA
JAPAN CHINA TAIWAN USA
BY COUNTRY
ANALYSIS OF A BOTNET CAMPAIGN
MEAN DWELL TIME93 DAYS
MAX DWELL TIME348 DAYS
FORWARD WITHOUT FEAR©2016 Forcepoint LLC. All rights reserved.Forcepoint™ is a trademark of Forcepoint LLC.
JAKU is targeting specific victims
ANALYSIS OF A BOTNET CAMPAIGN
JAKU is the name of the botnet campaign investigated by the Forcepoint Security Labs Special Investigations Team. What makes JAKU unique is that within the noise of thousands of botnet victims, it targets and tracks a small number of specific individuals. These individuals include members of International Non-Governmental Organisations (NGOs), Engineering Companies, Academics, Scientists and Government Employees. North Korea (DPRK) and Pyongyang are the common theme shared between these individuals.
JAKU targets its victims - 19,000 is a conservative estimate of the number of victims at any one time - primarily via 'poisoned' BitTorrent file shares. The victims are spread all over the globe, but a significant number of victims are in South Korea and Japan. Forcepoint Security Labs has determined that the botnet command and control (C2) servers identified are also located in the APAC region, including Singapore, Malaysia and Thailand.
A sophisticated botnet campaignJAKU uses three different C2 mechanisms, making it highly resilient. Compressed and encrypted code embedded in image files are used to deliver the second stage malware, while the botnet controllers monitor the botnet members via obfuscated SQLite databases. The controllers also cleverly re-use widely available open source software, including the UDT network transport protocol, software copied from Korean blogger sites and re-writes of previously published code.
Who is behind the JAKU botnet campaign? Forcepoint Security Labs focus on awareness and understanding of intent. This is useful to identify likely future behaviour. We do not focus on specific attribution. However, there are indicators that suggest that the author(s) of the malware identified are native Korean speakers.
For a deeper dive into the JAKU botnet campaign,
download the reportwww.forcepoint.com/jaku