Official North Korean News Site Injects Spyware into Visitors’ Computers

DPRK’s Korean Central News Agency is serving up more than just the latest pictures of Leader Kim Jong Un. “There's a little extra surprise hidden in the site's code—malware,” Ars Technica reports. The news site appears to double as a way for Pyongyang to carry out a “drive-by” attack against individuals interested in North Korean current events.

Part of the site’s JavaScript code connects to a malicious software download named "FlashPlayer10.zip." That program contains copies of a well-known Windows malware dropper, based on an analysis by malware screening site Virustotal.

The malware installers have been on the site for years, according to the date stamp on files within the ZIP file. They were created in December of 2012.

The site might only “launch the download for specific cases—for example, from specific stories in KCNA's home-grown content management system for site visitors with specific browsers,” according to Ars.

Ironically, much of the content on the site is delivered from a directory called "siteFiles/exploit," and one of the header files used on the site's homepage is called "kcna.user.exploit.exploit.kcmsf.”

The use of the word “exploit” might merely be a language translation quirk, and actually mean “develop.” Gaebalhada (개발하다) is a verb which translates to "exploit" or "develop."

“Of course, it could also be just some incredible amount of honesty by North Korean Web developers about what the KCNA's website is really supposed to do,” Ars reports.