Botnets are a well-known and continually evolving threat.
As one of the most sophisticated and popular types of cybercrime, a botnet is a network of private computers infected with malicious software and controlled as a group without the computer owners' knowledge.
In short, botnets allow hackers to take control of multiple computers at the one time to spread viruses, create spam and perform Distributed Denial of Service (DDOS) attacks.
Given organised crime has been operating botnets for years, Forcepoint Security Labs conducted research into the JAKU botnet campaign to gain insights and understanding into their inner workings.
What makes the JAKU botnet campaign unique is that within the noise of thousands of botnet victims, it targets and tracks a small number of specific individuals. These individuals include members of International Non-Governmental Organisations (NGOs), Engineering Companies, Academics, Scientists and Government Employees. North Korea (DPRK) and Pyongyang are the common theme shared between these individuals.
JAKU uses three different command and control (C2) mechanisms, making it highly resilient. Compressed and encrypted code embedded in image files are used to deliver the second stage malware, while the botnet controllers monitor the botnet members via obfuscated SQLite databases. The controllers also cleverly re-use widely available open source software, including the UDT network transport protocol, software copied from Korean blogger sites and re-writes of previously published code.
JAKU's victims are spread all over the globe, but a significant number of victims are in South Korea and Japan.
JAKU Attack Map
Forcepoint Security Labs has determined that the botnet C2 servers identified are also located in the APAC region, including Singapore, Malaysia and Thailand.
The JAKU Command and Control (C2) servers have been identified as being located in Malaysia, Thailand and Singapore
Victims per country
The JAKU campaign spans 134 countries with an estimated 19,000 unique victims. Over 87% of victim computers were in one of four countries: South Korea (42%), Japan (31%), China (8%) and the United States (6%).
Both Australia and New Zealand were affected by JAKU.
Victims per language
The victims of the JAKU campaign are clustered around Japanese (30%) and Korean (43%) languages, followed by English (13%) and Chinese (10%).
Victims per time-zone
Each of the victim machines has a time-zone setting for the geographic region the system is configured to operate in. The two major time-zone group of victims included the +09:00 time zone (Korea Standard time, Tokyo Standard Time and Yakutsk Standard Time) with 69% of victims and the +08:00 time-zone (West Australia Standard Time Zone, North Asian East Standard Time and China Standard Time).
Number of total JAKU victims' computers/day
Implications of findings
The JAKU research shows botnets are an easy form of resilient, redundant and highly pervasive attack infrastructures that are repeatedly deployed by major threat actors, such as organised crime-sponsored attackers and rogue states via their agencies.
Botnet resilience is strengthened by what appears to be the herding of victims into smaller bot-networks. This, to some degree at least, ensures that if the botnet is compromised then the remainder of the campaign is left to operate.
The JAKU study also highlights the consequences that Internet users who disregard copyrights and digital rights may face. Many may incur end-point security vulnerabilities that may not only leave them subject to attack, but also may allow their machines to be misused by adversaries, such as the JAKU botnet controllers, to execute information and identity theft.
Although bots present a serious challenge for businesses and individuals there are ways to secure your network quickly and reliably.
Firstly collaboration is key, as finding, tracking and shutting down attack modes and methodologies can be a formidable task. What is required is the close collaboration and intelligence-sharing activities of both private organisations and government agencies.
To protect networks prior to infection, businesses and individuals should configure their security software's settings to update automatically and increase security settings on the browser. Other tips include limiting user rights when online and not opening attachments from unverified senders. The JAKU investigation sheds light onto why the victims of botnets are targeted, and how their usage of pirated or counterfeit software and movies leaves them vulnerable to attack.
Article by Carl Leonard, principal security analyst at Forcepoint