MALAYSIA,THAILAND &SINGAPORE

LOCATION OF COMMAND

AND CONTROL SERVERS:

MALWARE TYPE:

MULTI-STAGETRACKING AND DATA

EXFILTRATIONMALWARE

FORWARD WITHOUT FEAR©2016 Forcepoint LLC. All rights reserved.Forcepoint™ is a trademark of Forcepoint LLC.

134NUMBER OF COUNTRIESWITH JAKU

VICTIMS

19kNUMBER OF UNIQUE VICTIMS

6MONTHS

LENGTH OF INVESTIGATION

TO DATE:

JAKU

CRYPTOGRAPHY, STEGANOGRAPHY,FAKE FILE TYPES,STEALTH INJECTION, ANTI-VIRUSENGINE DETECTION (AND OTHERS)

EVASION TECHNIQUES USED:

EXPOSURE TO COMPROMISEDBITTORRENT SITES, USE OFUNLICENSED SOFTWARE &DOWNLOADING OF WAREZSOFTWARE

PAYLOADS ARE DELIVERED VIA:

GLOBAL(SIGNIFICANT CLUSTERING IN JAPAN, SOUTH KOREA & CHINA)

LOCATION OF VICTIMS:

SOUTHKOREA

JAPAN CHINA TAIWAN USA

BY COUNTRY

ANALYSIS OF A BOTNET CAMPAIGN

MEAN DWELL TIME93 DAYS

MAX DWELL TIME348 DAYS

FORWARD WITHOUT FEAR©2016 Forcepoint LLC. All rights reserved.Forcepoint™ is a trademark of Forcepoint LLC.

JAKU is targeting specific victims

ANALYSIS OF A BOTNET CAMPAIGN

JAKU is the name of the botnet campaign investigated by the Forcepoint Security Labs Special Investigations Team. What makes JAKU unique is that within the noise of thousands of botnet victims, it targets and tracks a small number of specific individuals. These individuals include members of International Non-Governmental Organisations (NGOs), Engineering Companies, Academics, Scientists and Government Employees. North Korea (DPRK) and Pyongyang are the common theme shared between these individuals.

JAKU targets its victims - 19,000 is a conservative estimate of the number of victims at any one time - primarily via 'poisoned' BitTorrent file shares. The victims are spread all over the globe, but a significant number of victims are in South Korea and Japan. Forcepoint Security Labs has determined that the botnet command and control (C2) servers identified are also located in the APAC region, including Singapore, Malaysia and Thailand.

A sophisticated botnet campaignJAKU uses three different C2 mechanisms, making it highly resilient. Compressed and encrypted code embedded in image files are used to deliver the second stage malware, while the botnet controllers monitor the botnet members via obfuscated SQLite databases. The controllers also cleverly re-use widely available open source software, including the UDT network transport protocol, software copied from Korean blogger sites and re-writes of previously published code.

Who is behind the JAKU botnet campaign? Forcepoint Security Labs focus on awareness and understanding of intent. This is useful to identify likely future behaviour. We do not focus on specific attribution. However, there are indicators that suggest that the author(s) of the malware identified are native Korean speakers.

For a deeper dive into the JAKU botnet campaign,

download the reportwww.forcepoint.com/jaku