Pyongyang might not be trying to infect your computer after all.
A dangerous malware program operating out of North Korea’s official news site was initially thought to be the work of the North Korean government.
{mosads}But a review of the site’s code by security researchers said the malware appears to be the work of external hackers, perhaps interested in gathering information on North Korea’s Internet-enabled elite.
The attack, which is still active, is disguised as an update to Adobe Flash Player that pops up for some users visiting the Korean Central News Agency (KCNA) homepage. Upon clicking, the user’s computer is infected with malware.
“Because of what happened at Sony and because this was a North Korean site, many people had no trouble assuming North Korean involvement,” Kaspersky Labs senior researcher Juan Guerrero-Saade told Dark Reading.
Guerrero-Saade was part of a team that reviewed the code and offered a different story on the attack.
Rather than monitoring people interested in Pyongyang’s affairs, the malware appears to seek out targets who might be North Koreans themselves, the review suggests.
The team noted several similarities to another highly sophisticated cyber attack campaign dubbed “Darkhotel,” in which hackers targeted elite hotel guests in Asia through the Wi-Fi networks in their hotels.
In that campaign, which lasted at least seven years, high-value guests received a fake Adobe software update pop-up when they tried to log into a hotel’s Wi-Fi network. By clicking, they infected their computers with malware.
“Some similarities with the Darkhotel toolset are present, including the network configuration, spoofing technique, as well as the format and selection of stolen data,” Guerrero-Saade wrote in a blog post with a colleague on Wednesday.
“Were these to be related campaigns, particularities of the KCNA malware show that the Darkhotel actor may still have some tricks up its sleeve.”