Found this posted on GitHub the other day. What’s interesting is that it looks like rns.edu.kp did resolve for a while in 2020 and I found reference to the URL http://rns.edu.kp/AntiVirus
https://github.com/Alyzana/kwang-myong-addresses/blob/master/sites-en
I’ve been trying to find a GitHub commit that had a commit from North Korea. For some reason I never saved it. But I found something much more interesting here: https://github.com/Alyzana/kwang-myong-addresses/blob/master/sites-en
I have no idea where the data is from but the user has a list of domains on Naenara. Most of them don’t resolve but the one interesting thing I did find when doing some quick research is that apparently rns.edu.kp did resolve last year. To make things much more interesting the only URL that I could reliably find is rns.edu.kp/AntiVirus
This lead down a further search and I found a references to the BangPae-Client from KIM IL SUNG University MATH. I have no idea what this is but I found these hashes:
3e459baf7f73e38c3779b07db58c2821
9b4a54b93351a35b34299a4d9db16afd
eb18354bc621e53fabf5375ef9b42664
decb5dd7c6a3a74d9b89df2d643af0e4
85ba460b6c11da2c01cef6a296073630
If anyone has a copy and wants to share, I would appreciate it. I haven’t been able to find a copy at all. Additional details are below:
Directories found on disk:
Generally, the following files are left on disk:
Use regedit.exe to manually remove from the Windows Registry the keys below:
Registry values that are not removed from your PC:
For the longest time I’ve been meaning to go through this data dump and see if there was anything interesting in there. For now here’s a list of KP domains that don’t come up too often. https://www.databreaches.net/uriminzokkiri-breach-update-9001-accounts-leaked-and-message-released-for-opnorthkorea/
kcc.go.kp
nnr.kcc.co.kp
co.kp
chongbong.kcc.go.kp
uri.kp.kp
mgic.kcc.go.kp
kgic.com.kp
kut.ac.kp
naenara.ko.kp
dg.kp
naenara.co.kp
sobaeksu.kcc.kp
sillibanck.kp.com
naenara.inf.kp
123.kp
kcc.oic.co.kp
htd.co.kp
cn.kp
Looks like it’s currently redirecting to http://mediaryugyong.com.kp/
Interesting to see that korstamp.com.kp has a set of authors listed on each page. Can’t seem to find much information about anyone.
There’s also a list of contact emails that are outside the traditional DRPK email domains:
email : stamp@star-co.net.kp, stampdealerlink@163.com, kssb_exhi@foxmail.com, xuyong0824@qq.com, jugwangjang@gmail.com
Searching on dprkportal.kp appears to be broken. Example below:
Digging into the javascript it looks like most of the validation is done in the browser based on a regex
I haven’t tested further but the search can be accessed with the following example:
curl http://dprkportal.kp/include/search_func.php?action=search_site&keyword=kcna.kp&page=1
I assume the search doesn’t ever return results since the string for each URL has a period in it and the search bar automatically removes these when typed or copied in.
I finally found a copy of netkey.exe that I posted about a few months back. Haven’t had a chance to really try it out yet and the IP is my own. I’m also relying on Google Translate but it looks like it’s titled Network Certification Program, but if anyone can help translate that would be greatly appreciated.
I can’t find anything online about this yet but looking at the subject information for the cert at vok.rep.kp there’s a pretty interesting email address listed. I haven’t seen any email or domain so far that’s publicly accessible for tech.krt.kp
I was reminded of this article yesterday where a few years ago there was a malicious download made available on kcna.kp: https://www.pcworld.com/article/2868436/north-korean-official-news-agency-site-serves-malware.html
Despite this being discovered a few years ago, you can still find references to the file in the source of the site
The one thing that’s interesting is that part of the URL has exploit in it, but as the article notes it could just be a translation error. One of the things that I found interesting looking at the source of the page is that there are hidden links for check_system_password and admin_login
There’s also a directory siteFiles/exploit but I saved a few of the files and sent them to VirusTotal doesn’t look like there is anything suspicious:
Also based on the dates for some of the files it looks like they’ve been known for at least a few years.
Now these two links don’t load anything and they aren’t visible but archive.org captured these pages back in 2015 and it looks like it just causes the page to continuously reload:
https://web.archive.org/web/20150703061753id_/http://kcna.kp/admin_login
Looking through some of the site I also found similar references where there are links in the code but not visible anywhere on the site:
/system_admin_login_class
/check_db_password
/\\\check_system_password
Neither of those pages load but just found it interesting that they these links are hidden in the code but not visible anywhere on the site that I’ve been able to find.
North Korean Internet 