According to Forcepoint’s 2016 Global Threat Report, Jaku (Star Wars reference alert — Jakku) has claimed 19,000 victims across 134 countries so far. Most of its victims are from countries such as Japan and South Korea, which comprise 73 percent of all infections. A six month investigation by Forcepoint’s Special Investigations (SI) team revealed that “Jaku herds victims en masse and conducts highly targeted attacks on specific victims through the execution of concurrent operational campaigns.” Forcepoint has built on Kaspersky’s previous Dark Hotel campaign research, and engaged with the UK National Crime Agency (NCA), CERT-UK, Europol and Interpol. These individuals include members of International Non-Governmental Organisations (NGOs), engineering companies, academics, scientists and government employees. The group behind Jaku controls the botnet through multiple command and control servers, which are located in Malaysia, Thailand and Singapore. In order to remain invisible, the Jaku group set up three different C&C mechanisms but also used muddled SQLite databases on the client-side to store configuration files. The Jaku botnet can be used to deliver spam, to launch DDoS attacks, but also to implement other types of malware. This second-stage delivery process happens with the help of steganography, which crooks use to pack their malicious code inside image files. Forcepoint says that infections usually take place via malware-laced files shared via BitTorrent. Generally, the group goes after high-value targets but doesn’t matter if other users are infected as well. Organizations are also faced with increases in data breaches caused by both malicious and “accidental” insiders, and varying security controls between cloud providers and businesses. “The rapid evolution of the cyber threat environment has consequences that are much broader than just technical, operational, and financial – they can impact every piece of a business,” said Forcepoint Chief Scientist Dr. Richard Ford. “With this Threat Report, we want to demystify these threats and help enable businesses with tools, recommendations and, quite simply, knowledge, so they can continue to move forward without fear.” Forcepoint researchers point out that “The Jaku campaign has clear connections with the TTPs used by the threat actors discussed by Kaspersky in the Darkhotel investigations from November 2014,” The Darkhotel group was later known as Dark Seoul, and has recently been linked to hackers in North Korea, part of the Lazarus Group. You can read about Jaku’s features on Forcepoint’s 44-page report.
