Internet Outages Solved

February 2, 2022February 2, 2022 / nick / Leave a comment

Looks like Wired got to the bottom of the recent outages in North Korea: https://www.wired.com/story/north-korea-hacker-internet-outage/

Now that it doesn’t make much of a difference this was a graph that I created a few days ago to start getting a better idea of when launches and outages were occurring.

As as side note to all of this I’ve spent far too much time in the last few days really digging into North Korea’s internet and the way that they are peering with other networks which probably will require a new post later.

GitHub Commits From Pyongyang University of Science and Technology (PUST)

February 1, 2022January 27, 2022 / nick / Leave a comment

PUST maintains a GitHub account for committing changes to open source projects on GitHub: https://github.com/arirang-pust

A sample commit can be found here: https://github.com/mlpack/mlpack/pull/842

Chat logs from the MLPACK developers discussing the change from PUST: https://www.mlpack.org/irc/mlpack.20161220.html

Blog post from the professor at PUST discussing the changes: https://izbicki.me/blog/teaching-open-source-in-north-korea.html

Associated LinkedIn account for PUST can be found here: https://www.linkedin.com/in/arirang-pust-748483144/

Thanks to the person that submitted this over email!

Internet Unstable Again

January 26, 2022 / nick / Leave a comment

Since the outage last week I’ve been tracking some DPRK websites and IP’s more closely. For the most part they’ve been up pretty consistently but about 16 hours ago there appeared to be some pretty substantial instability. Will keep watching.

Interesting 404 Page

January 19, 2022 / nick / Leave a comment

Nothing too exciting but I thought this was interesting. A 404 page on rodong.rep.kp that looks like the Google logo. You can see it here: http://www.rodong.rep.kp/ko/index.php?strPageID=SF02_02_01

North Korea Using IP’s In Russia?

January 8, 2022 / nick / Leave a comment

I noticed the other day that 188.43.136.115 and 188.43.136.116 had the same certificate information in November 2021 as 175.45.176.21 and 175.45.176.22 had until recently. Now this doesn’t prove anything but it’s also interesting to note that both had ports 443 and 8888 exposed. Something to keep an eye on. Certificate is below. Could not find any other IP’s using that certificate when searching the hash.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9961 (0x26e9)
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: CN=ISRA
        Validity
            Not Before: Sep 10 10:19:41 2021 GMT
            Not After : Sep 10 10:19:41 2022 GMT
        Subject: CN=is_server
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:4d:da:80:80:5e:1c:99:c0:cb:cf:c0:a3:a2:6f:
                    2b:1c:ca:f0:4a:03:6a:82:35:64:26:08:0f:c0:ac:
                    6f:31:e5:38:b9:04:cd:ca:1c:4e:39:d7:1e:32:81:
                    a5:62:65:be:2d:db:9f:80:61:e8:0b:46:95:d8:c6:
                    e5:48:29:e8:48:e8:af:85:24:bd:58:93:92:40:aa:
                    10:d1:a8:c2:e7:06:f3:ab:7b:29:cd:6f:57:b3:84:
                    60:1d:90:96:3b:7f:c8
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Client, S/MIME
            Netscape Comment: 
                OpenSSL Generated Client Certificate
            X509v3 Subject Key Identifier: 
                C2:A2:12:38:21:74:43:BF:F0:DE:5A:F8:EA:0E:B1:68:98:0E:3E:C3
            X509v3 Authority Key Identifier: 
                keyid:CB:36:50:B9:C4:39:6E:9B:F4:43:46:56:D5:2B:C2:99:6D:E6:F5:FA

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
    Signature Algorithm: ecdsa-with-SHA384
         30:65:02:30:4c:19:3b:cc:a9:3d:4b:01:5d:ab:df:09:93:3f:
         fc:e0:8f:f1:9c:61:11:c8:a4:d7:d8:fa:5f:6f:4e:08:a9:1f:
         42:81:97:6e:5d:d5:cb:53:30:d2:25:cb:56:db:9f:22:02:31:
         00:c7:b1:5e:ac:f8:67:82:c9:7b:88:e4:cf:03:23:b2:1f:65:
         39:e7:22:25:d6:e1:76:68:e2:1e:f5:de:13:ce:fa:94:24:77:
         51:8d:eb:08:77:eb:8d:55:9c:da:f7:38:63

List of Internal Kwangmyong Websites

October 20, 2021 / nick / Leave a comment

Found this posted on GitHub the other day. What’s interesting is that it looks like rns.edu.kp did resolve for a while in 2020 and I found reference to the URL http://rns.edu.kp/AntiVirus

https://github.com/Alyzana/kwang-myong-addresses/blob/master/sites-en

Kim Il Sung University Website and Software

October 3, 2021October 3, 2021 / nick / 2 Comments

I’ve been trying to find a GitHub commit that had a commit from North Korea. For some reason I never saved it. But I found something much more interesting here: https://github.com/Alyzana/kwang-myong-addresses/blob/master/sites-en

I have no idea where the data is from but the user has a list of domains on Naenara. Most of them don’t resolve but the one interesting thing I did find when doing some quick research is that apparently rns.edu.kp did resolve last year. To make things much more interesting the only URL that I could reliably find is rns.edu.kp/AntiVirus

This lead down a further search and I found a references to the BangPae-Client from KIM IL SUNG University MATH. I have no idea what this is but I found these hashes:

3e459baf7f73e38c3779b07db58c2821

9b4a54b93351a35b34299a4d9db16afd

eb18354bc621e53fabf5375ef9b42664

decb5dd7c6a3a74d9b89df2d643af0e4

85ba460b6c11da2c01cef6a296073630

If anyone has a copy and wants to share, I would appreciate it. I haven’t been able to find a copy at all. Additional details are below:

Directories found on disk:

C:\Program Files\BangPae-Client
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BangPae-Client

Generally, the following files are left on disk:

C:\Program Files\BangPae-Client\audio\2_13.pcm
C:\Program Files\BangPae-Client\audio\2_14.pcm
C:\Program Files\BangPae-Client\audio\2_17.pcm
C:\Program Files\BangPae-Client\audio\2_19.pcm
C:\Program Files\BangPae-Client\audio\2_24.pcm
C:\Program Files\BangPae-Client\audio\2_4.pcm
C:\Program Files\BangPae-Client\audio\2_9.pcm
C:\Program Files\BangPae-Client\BangPae-Client.exe
C:\Program Files\BangPae-Client\GPUCache\data_0
C:\Program Files\BangPae-Client\GPUCache\data_1
C:\Program Files\BangPae-Client\GPUCache\data_2
C:\Program Files\BangPae-Client\GPUCache\data_3
C:\Program Files\BangPae-Client\GPUCache\index
C:\Program Files\BangPae-Client\help.pdf
C:\Program Files\BangPae-Client\iconengines\qsvgicon.dll
C:\Program Files\BangPae-Client\imageformats\qgif.dll
C:\Program Files\BangPae-Client\imageformats\qico.dll
C:\Program Files\BangPae-Client\imageformats\qjpeg.dll
C:\Program Files\BangPae-Client\imageformats\qsvg.dll
C:\Program Files\BangPae-Client\kpcholim.ttc
C:\Program Files\BangPae-Client\kpchopom.ttc
C:\Program Files\BangPae-Client\libcrypto-1_1-x64.dll
C:\Program Files\BangPae-Client\libgcc_s_seh-1.dll
C:\Program Files\BangPae-Client\libssl-1_1-x64.dll
C:\Program Files\BangPae-Client\libstdc++-6.dll
C:\Program Files\BangPae-Client\libwinpthread-1.dll
C:\Program Files\BangPae-Client\lua5.1.dll
C:\Program Files\BangPae-Client\OpenAL32.dll
C:\Program Files\BangPae-Client\platforms\qdirect2d.dll
C:\Program Files\BangPae-Client\platforms\qminimal.dll
C:\Program Files\BangPae-Client\platforms\qoffscreen.dll
C:\Program Files\BangPae-Client\platforms\qwindows.dll
C:\Program Files\BangPae-Client\Poster\poster_big-1.dat
C:\Program Files\BangPae-Client\Poster\poster_big-2.dat
C:\Program Files\BangPae-Client\Poster\poster_big-3.dat
C:\Program Files\BangPae-Client\Poster\poster_big-4.dat
C:\Program Files\BangPae-Client\Poster\poster_big-5.dat
C:\Program Files\BangPae-Client\Poster\poster_big-6.dat
C:\Program Files\BangPae-Client\Poster\poster_small-1.dat
C:\Program Files\BangPae-Client\Poster\poster_small-2.dat
C:\Program Files\BangPae-Client\Poster\poster_small-3.dat
C:\Program Files\BangPae-Client\Poster\poster_small-4.dat
C:\Program Files\BangPae-Client\Poster\poster_small-5.dat
C:\Program Files\BangPae-Client\Poster\poster_small-6.dat
C:\Program Files\BangPae-Client\Qt5Core.dll
C:\Program Files\BangPae-Client\Qt5Gui.dll
C:\Program Files\BangPae-Client\Qt5Network.dll
C:\Program Files\BangPae-Client\Qt5Svg.dll
C:\Program Files\BangPae-Client\Qt5Widgets.dll
C:\Program Files\BangPae-Client\Qt5Xml.dll
C:\Program Files\BangPae-Client\RecordSample.sam
C:\Program Files\BangPae-Client\uninstall.exe
C:\Program Files\BangPae-Client\Uninstall\IRIMG1.JPG
C:\Program Files\BangPae-Client\Uninstall\IRIMG2.JPG
C:\Program Files\BangPae-Client\Uninstall\IRIMG3.JPG
C:\Program Files\BangPae-Client\Uninstall\uninstall.dat
C:\Program Files\BangPae-Client\Uninstall\uninstall.xml
C:\Program Files\BangPae-Client\Win10 Active Tool.exe
C:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\125\{6D809377-6AF0-444B-8957-A3773F02200E}_BangPae-Client_BangPae-Client_exe
C:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\125\{6D809377-6AF0-444B-8957-A3773F02200E}_BangPae-Client_help_pdf
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\BangPae-Client.suf.lnk
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\BangPae-Client-1.9.0-20201203.exe.7z.lnk
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\BangPae-Client-1.9.0-20201217.exe.7z.lnk
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\BangPae-Client-1.9.1-20201217.exe.7z.lnk
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BangPae-Client\BangPae-Client.lnk
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BangPae-Client\BangPae-Help.lnk
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BangPae-Client\Uninstall BangPae-Client.lnk

Use regedit.exe to manually remove from the Windows Registry the keys below:

HKEY_LOCAL_MACHINE\Software\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\BangPae-Client.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\BangPae-Client1.9.1

Registry values that are not removed from your PC:

HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\program files\bangpae-client\bangpae-client.exe.FriendlyAppName
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\program files\bangpae-client\bangpae-client-test-202012282110.exe.FriendlyAppName
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\BangPae-Client\KCTV.exe.FriendlyAppName
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\D:\dev\meeting system\qTox\Distribution\1.9\Client\BangPae-Client-1.9.1.exe.FriendlyAppName
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\D:\dev\meeting system\qTox\Distribution\1.9\Client\BangPae-Client-1.9.2.exe.FriendlyAppName
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\D:\dev\meeting system\qTox\work\Setup\Client\BangPae-Client-x86_64-release\BangPae-Client.exe.FriendlyAppName
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\D:\dev\meeting system\qTox\work\Setup\Client\BangPae-Client-x86_64-release\BangPae-Client-202013311336.exe.FriendlyAppName
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\J:\Dev\JYJ\New Folder\TEST\BangPae-Client-1.7.7-del.exe.ApplicationCompany
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\J:\Dev\JYJ\New Folder\TEST\BangPae-Client-1.7.7-del.exe.FriendlyAppName
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\M:\BangPae-Client.exe.FriendlyAppName
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1243145971-3851564632-427313449-500\\Device\HarddiskVolume3\Program Files\BangPae-Client\BangPae-Client.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1243145971-3851564632-427313449-500\\Device\HarddiskVolume3\Program Files\BangPae-Client\uninstall.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\TCP Query User{553D376B-C335-4AEE-AD0A-06DA388B93B0}C:\program files\bangpae-client\bangpae-client.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\TCP Query User{7B36511F-CCE6-433B-99D4-2A8B9AEF8892}C:\program files\bangpae-client\bangpae-client-test-202012282110.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\UDP Query User{1A4B66A6-21CB-441E-83E7-80F6B9F75306}C:\program files\bangpae-client\bangpae-client-test-202012282110.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\UDP Query User{5D3E7543-AF1A-4B21-8EBB-457C0434908C}C:\program files\bangpae-client\bangpae-client.exe

Domains From the Uriminzokkiri Breach

October 3, 2021 / nick / Leave a comment

For the longest time I’ve been meaning to go through this data dump and see if there was anything interesting in there. For now here’s a list of KP domains that don’t come up too often. https://www.databreaches.net/uriminzokkiri-breach-update-9001-accounts-leaked-and-message-released-for-opnorthkorea/

kcc.go.kp
nnr.kcc.co.kp
co.kp
chongbong.kcc.go.kp
uri.kp.kp
mgic.kcc.go.kp
kgic.com.kp
kut.ac.kp
naenara.ko.kp
dg.kp
naenara.co.kp
sobaeksu.kcc.kp
sillibanck.kp.com
naenara.inf.kp
123.kp
kcc.oic.co.kp
htd.co.kp
cn.kp

	nick on npm Malware, Fake Devs, and De…
	I will send you the… on npm Malware, Fake Devs, and De…
	More Fake Devs, More… on npm Malware, Fake Devs, and De…
	All things infosteal… on Additional Notes on the Trevor…
	Three Things To Read… on DPRK Infrastructure Update

North Korean Internet

Insights from Internet Scanning and Open Source Intelligence