The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market

Mark Lechtik, Ariel Jugnheit /Kaspersky

In the last years, some research has been made on North Korean software, focusing on off the shelf products that appear as substitutions for western technology. Based on previous work, developers in the DPRK provided a variety of homebrewed products, including an operating system (RedStar OS), a browser (Naenara) and even a security solution for Windows (Silivaccine).

With regards to the latter, there’s very little known about the Windows environment in North Korea, not so much as the number of its users. Nevertheless, we know of 4 NK based Anti-Virus programs developed for Windows over the last 3 decades, which we thoroughly analysed through reverse engineering and inspection of various intelligence sources. By doing so, we are able to unveil an interesting AV ecosystem, most of which remains well concealed from the public eye to this day.

In our research we took an in-depth look at various aspects of the aforementioned products, namely the threats that they protect against (some of which are believed to be internally created), the parties involved in developing them and the interesting overlaps between their code and other code bases. These include ties with known DPRK affiliated malware and 3rd party vendor code, as was revealed in the Silivaccine case.

In this talk we will showcase our analysis of each of the North Korean security solutions known to us, including its architecture and features, information on the developing entities and interesting questions that come up consequently. By conducting this review, we intend to show the great amount of effort and resources invested in this internal industry, and the shady practices the hermit kingdom continually engages in to create its own self-reliant security market.

November 8 at 09:30 - 10:00, Stage A

Mark Lechtik is a Senior Security Researcher at Kaspersky`s GReAT, previously working as the Malware Research Team Leader at Check Point Research. He was born in Russia, but lives most of his life in Israel, where he graduated from Ben-Gurion University with a B.Sc in communication system engineering. Mark passion is reverse engineering malware, both as occupation and hobby. He enjoys deep diving into a variety of malwares from the worlds of both APT and crimeware, digging out their gory technical details and outlining their underlying stories and threat actors.

Ariel Jungheit is a security researcher on the Global Research and Analysis Team at Kaspersky Lab. Based in Germany, Ariel’s interest in cybersecurity stems from his time in national military service, and before joining Kaspersky Lab, he worked for FireEye and iSight as a senior security analyst and an intelligence analyst respectively. At Kaspersky Lab, he`s contributing to GReAT’s mission by helping to investigate the most active and advanced threat actors, targeted attacks, attacker tools and more. Ariel’s professional passions includes reverse engineering malware, uncovering, tracking and analyzing APT campaigns and reporting all about it.