Researchers at Check Point Research have carried out an investigation into North Korea’s homegrown antivirus software, SiliVaccine. The researchers got the software in 2014 from a suspicious email with a Dropbox link. Detailed analysis of SiliVaccine found that exact matches of large chunks of engine code belonging to Trend Micro. In addition SiliVaccine is designed to overlook one particular malware signature, which the Trend Micro detection engine would normally block.



If containing stolen code, and letting 1 specific bit of malware pass through wasn’t enough, the researchers found that SiliVaccine comes bundled with the highly resilient, botnet forming JAKU malware.

The strange email sent by ‘Kang Yong Hak’, supposedly a Japanese engineer, contained a link to a Dropbox-hosted zip file that held a copy of the SiliVaccine software, a Korean language readme file instructing how to use the software and a suspicious looking file posing as a patch for SiliVaccine.

Discussion

Source: [H]ardOCP – Inside SiliVaccine, North Korea’s Antivirus