JAKU - a special investigation into a previously unknown botnet campaign
[UPDATE 05/MAY/2016] A list of Indicators of Compromise is now available to download at this location.
JAKU is the name of the investigation by the Forcepoint™ Security Labs™ Special Investigations team into a botnet campaign. We have released our technical analysis in the form of a whitepaper. Download links and other resources are provided below.
JAKU Targets Specific Victims
What makes JAKU unique is that within the noise of thousands of botnet victims, it targets and tracks a small number of specific individuals. These individuals include members of International Non-Governmental Organisations (NGOs), Engineering Companies, Academics, Scientists and Government Employees. North Korea (DPRK) and Pyongyang are the common theme shared between these individuals.
JAKU targets its victims - 19,000 is a conservative estimate of the number of victims at any one time - primarily via 'poisoned' BitTorrent file shares. The victims are spread all over the globe, but a significant number of victims are in South Korea and Japan. Forcepoint Security Labs has determined that the botnet Command and Control (C2) servers identified are also located in the APAC region, including Singapore, Malaysia and Thailand.
JAKU is Sophisticated and Resilient
JAKU uses three different C2 mechanisms, making it highly resilient. Compressed and encrypted code embedded in image files are used to deliver the second stage malware, while the botnet controllers monitor the botnet members via obfuscated SQLite databases. The controllers also cleverly re-use widely available open source software, including the UDT network transport protocol, software copied from Korean blogger sites and re-writes of previously published code.
How and When did we do the Research?
The JAKU investigation began in late October 2015. We have collected, collated and processed an estimated 1.7TB of telemetry data during the 6 month investigation.
Who is Behind the JAKU Botnet Campaign?
Forcepoint Security Labs focus on awareness and understanding of intent. This is useful to identify likely future behaviour. We do not focus on specific attribution. However, there are indicators that suggest that the author(s) of the malware identified are native Korean speakers.
Download Links and Other Resources
Whitepaper - our deep-dive technical analysis is available for download now from https://www.forcepoint.com/jaku
Infographic - an infographic also available from here.
Forcepoint Security Labs will release a follow-up blog providing a comprehensive list of Indicators of Compromises relating to JAKU.
We welcome your feedback and questions in the comments section below. Thank you.