Jaku botnet hides targeted attacks within generic botnet noise

Botnets are usually created by cyber criminals that use them to launch DDoS attacks, deliver spam, effect click fraud. The recently discovered Jaku botnet can effectively do all those things, if its botmaster(s) choose to do so, but it seems that they have other things in mind.

The botnet which, according to Forcepoint researchers, numbered as many as 17,000 victims at different points in time, consists of several botnets “answering to” different C&C servers. The researchers have been tracking it since last September, and have noticed its atypicality.

Jaku botnet victims per C&C server

“What makes Jaku unique is that within the noise of thousands of botnet victims, it targets and tracks a small number of specific individuals. These individuals include members of International Non-Governmental Organisations (NGOs), Engineering Companies, Academics, Scientists and Government Employees,” they shared.

The overwhelming majority of these victims are located in South Korea (42%), Japan (31%), China (8%) and the United States (6%), but its tentacles have reached in as many as 134 countries around the world. Interestingly enough, the number of corporate victims is extremely low: only 153 in all.

Jaku botnet victims in Asia

The botnet’s C&C servers are located in the APAC region, including Singapore, Malaysia and Thailand.

“What Jaku demonstrates is the re-use of Infrastructure, Tools, Techniques and Processes (TTPs), as well as the herding of victims into separate groupings; some indiscriminate and others highly targeted,” the researchers noted in an extensive whitepaper.

“Both the herding of general botnet victims and highly targeted attacks on individuals and organisations is hardly surprising. What is somewhat of a step change, however, is the execution of a number of concurrent operations within a campaign, using almost identical TTPs, to both herd thousands of victims into becoming botnet members while at the same time executing a targeted operation on a very small number of individuals.”

Once compromised – usually via booby-trapped pirated software and poisoned BitTorrent trackers – the victim computers can be made to download additional malware in several stages. The ultimate goal, at least when it comes to the aforementioned specific targets, is to harvest sensitive files and profile end-users (and the machines).

The botnets are quite resilient, and the malware is very stealthy.

“Jaku uses three different C2 mechanisms, making it highly resilient. Compressed and encrypted code embedded in image files are used to deliver the second stage malware, while the botnet controllers monitor the botnet members via obfuscated SQLite databases. The controllers also cleverly re-use widely available open source software, including the UDT network transport protocol, software copied from Korean blogger sites and re-writes of previously published code,” the researchers noted.

So, who’s behind it all? The researchers declined to speculate, but pointed out that there are indicators that suggest that the author(s) of the malware are native Korean speakers.

Add to this the fact that there are no victims in North Korea, and it seems logical that that they come from that country. But, when it comes to cyberspace attacks and incursions, attribution is extremely difficult. It’s also quite possible that the attackers are from another country and are looking to mask their location by trying to put the blame on North Korea.

Forcepoint has promised to publish a comprehensive list of Indicators of Compromises relating to the botnet soon.