May 3, 2016

JAKU - a special investigation into a previously unknown botnet campaign

Carl Leonard Principal Security Analyst

[UPDATE 05/MAY/2016] A list of Indicators of Compromise is now available to download at this location.

JAKU is the name of the investigation by the Forcepoint™ Security Labs™ Special Investigations team into a botnet campaign.  We have released our technical analysis in the form of a whitepaper.  Download links and other resources are provided below.


JAKU Targets Specific Victims

What makes JAKU unique is that within the noise of thousands of botnet victims, it targets and tracks a small number of specific individuals. These individuals include members of International Non-Governmental Organisations (NGOs), Engineering Companies, Academics, Scientists and Government Employees. North Korea (DPRK) and Pyongyang are the common theme shared between these individuals.

JAKU targets its victims - 19,000 is a conservative estimate of the number of victims at any one time - primarily via 'poisoned' BitTorrent file shares. The victims are spread all over the globe, but a significant number of victims are in South Korea and Japan. Forcepoint Security Labs has determined that the botnet Command and Control (C2) servers identified are also located in the APAC region, including Singapore, Malaysia and Thailand.

JAKU is Sophisticated and Resilient

JAKU uses three different C2 mechanisms, making it highly resilient. Compressed and encrypted code embedded in image files are used to deliver the second stage malware, while the botnet controllers monitor the botnet members via obfuscated SQLite databases. The controllers also cleverly re-use widely available open source software, including the UDT network transport protocol, software copied from Korean blogger sites and re-writes of previously published code.

How and When did we do the Research?

The JAKU investigation began in late October 2015.  We have collected, collated and processed an estimated 1.7TB of telemetry data during the 6 month investigation.

Who is Behind the JAKU Botnet Campaign?

Forcepoint Security Labs focus on awareness and understanding of intent. This is useful to identify likely future behaviour. We do not focus on specific attribution. However, there are indicators that suggest that the author(s) of the malware identified are native Korean speakers.

Download Links and Other Resources

Whitepaper - our deep-dive technical analysis is available for download now from https://www.forcepoint.com/jaku

Infographic - an infographic also available from here

Videos - we are releasing a series of interviews with our Head of Special Investigations, Andy Settle, giving insights into the "what", the "how" and the "why" of JAKU.

Additional Material

Forcepoint Security Labs will release a follow-up blog providing a comprehensive list of Indicators of Compromises relating to JAKU.

Questions Welcome

We welcome your feedback and questions in the comments section below. Thank you.

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.