국내 보안 기업 코드 서명 인증서 유출: 북한 APT 그룹 연관성 조사

2025-04-01 • ENKI • Domestic security firm code-signing certificate leak: investigation of links to a North Korean APT group •

https://www.enki.co.kr/media-center/blog/domestic-security-firm-s-certificate-leak-linked-to-north-korean-apt

#Somansa #T1082 #T1059.003 #T1140 #T1070.004 #T1041 #T1113 #T1046 #T1083 #T1057 #T1590.005 #T1553.002 #T1573.001 #T1592 #T1132.002 #T1070.006 #T1134.002 #T1027.007 #T1106 #T1134.001 #T1033 #T1485 #T1565.001 #T1069.001 #T1030 #T1027.008

Thumbnail for 국내 보안 기업 코드 서명 인증서 유출: 북한 APT 그룹 연관성 조사

ENKI analyzed malware signed with a leaked Somansa code-signing certificate and assessed links to a North Korean APT cluster. The backdoor sample used command-and-control infrastructure under p-e[.]kr, a domain pattern the report says is frequently used by North Korean APT activity, and Rich Header analysis showed product and build identifiers overlapping malware build environments associated with North Korean, Chinese, and Iranian APT groups. The report frames the certificate leak as a supply-chain and trust-abuse risk because signed malware can evade user suspicion and some defensive controls while collecting system information, executing commands, and communicating with attacker infrastructure. Defenders should hunt for Somansa-signed suspicious binaries, the cited C2 indicators, and behaviors mapped to command execution, discovery, exfiltration, and defense evasion.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	o-r.kr	2023-05-24	2026-06-01
DOMAIN	r-e.kr	2023-03-23	2026-06-01
DOMAIN	n-e.kr	2022-08-26	2026-06-01
DOMAIN	p-e.kr	2021-12-21	2026-06-01
HASH	80f31bf4e0b4ba1d3c963cf37dd7cef…	2025-04-01	2025-04-01
HASH	983b16c505a0b52a65dd31c7f50f8e9…	2025-04-01	2025-04-01
HASH	7c40019c1d4cef2ffdd1dd8f388aaba…	2025-04-01	2025-04-01
HASH	202cfbe37bcde2f5700fa43e5a4e08e…	2025-04-01	2025-04-01
HASH	9760f489a390665b5e7854429b550c83	2025-04-01	2025-04-01
HASH	0e0e0736f98e1819f50b6f05fa59b19…	2025-04-01	2025-04-01
HASH	b4f8177d87df58e31afab30302a9d9b…	2025-04-01	2025-04-01
HASH	94b71ee0861cc7cfbbae53ad2e411a7…	2025-04-01	2025-04-01
HASH	0d133ea8098e3802bf74202e4d25d6e…	2025-04-01	2025-04-01
HASH	f563f8abf56ae9819462e21635fbd4c…	2025-04-01	2025-04-01
HASH	4281854f27a755ab51e71d951016ad1…	2025-04-01	2025-04-01
HASH	d178cced92bbce22d2214dbdd3db049…	2025-04-01	2025-04-01
HASH	568465424dfff48605ee683409dc31f…	2025-04-01	2025-04-01
URL	http://daumnet.p-e.kr:9980	2025-04-01	2025-04-01
DOMAIN	n-b.kr	2025-04-01	2025-04-01
DOMAIN	daumnet.p-e.kr	2025-04-01	2025-04-01
HASH	2766fcf5fa81a2877864a07ef306cde4	2024-05-27	2025-04-01
HASH	485246b411ef5ea9e903397a5490d10…	2022-04-21	2025-04-01
HASH	a7077d9a2c98ec2d0b3b1c12f23b2a79	2021-12-24	2025-04-01
HASH	2a253c2aa1db3f809c86f410e4bd21f…	2021-01-06	2025-04-01
HASH	a42844fc9cb7f80ca49726b3589700f…	2021-01-06	2025-04-01
HASH	b3de3f9309b2f320738772353eb724a…	2018-01-16	2025-04-01

Related Reports

2025-03-12 • 31% Match

Konni의 최신 AsyncRAT 공격: LNK 파일을 활용한 감염 기법

ENKI

#Konni #LNK #AsyncRAT #T1027.013 #T1059.003 #T1567.002 #T1059.007 #T1204.002 #T1547.001 #T1053.005 #T1059.001 #T1102 #T1620 #T1027.010 #T1070 #T1132

Shares tag: T1059.003 • Same author: ENKI • Published within a month

2025-08-13 • 28% Match

APT PROFILE – LAZARUS GROUP

Cyfirma

#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1218.010 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1573 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004

Shares tags: T1082, T1059.003, T1140

2025-06-03 • 27% Match

구직자로 위장한 공격자의 Github 악용 악성코드 유포 사례 분석

ENKI

#ITWorker #T1059.003 #T1140 #T1041 #T1071.001 #T1059.007 #T1102 #T1573.001 #T1571 #T1027.010 #T1657 #T1055.009 #T1222.001 #T1565.001 #T1132

Shares tags: T1059.003, T1140, T1041 • Same author: ENKI

2025-04-24 • 27% Match

Lazarus APT updates its toolset in watering hole attacks

Kaspersky

#ThreatNeedle #LPEClient #SIGNBT #AGAMEMNON #Lazarus #Innorix #SyncHole #CrossEX #T1027.013 #T1082 #T1140 #T1071.001 #T1083 #T1057 #T1583.003 #T1583.001 #T1105 #T1620 #T1574.002 #T1135 #T1573.001 #T1190 #T1189 #T1049 #T1573.002 #T1016 #T1087.001 #T1218.011 #T1584.001 #T1574.001 #T1564.004 #T1027.009 #T1569.002 #T1543.003 #T1087.002 #T1570 #T1608.004 #T1547.005 #T1007

Shares tags: T1082, T1140, T1083 • Published within a month

2025-04-23 • 27% Match

A Deep Dive Into a Multi-Stage Malware Campaign Potentially Linked to DPRK’s Konni Group

navneet

#Konni #LNK #T1059.003 #T1140 #T1005 #T1070.004 #T1041 #T1071.001 #T1027 #T1059.005 #T1566.001 #T1547.001 #T1059.001 #T1573.001

Shares tags: T1059.003, T1140, T1070.004 • Published within a month

2025-08-29 • 25% Match

국내 IP에서 유포된 PureCrypter 적용 Formbook 페이로드 분석

ENKI

#Kimsuky #T1082 #T1059.003 #T1140 #T1005 #T1041 #T1115 #T1204.002 #T1071 #T1057 #T1566.001 #T1547.001 #T1059.001 #T1132.001 #T1497.001 #T1622 #T1027.002 #T1573.001 #T1055.012 #T1095 #T1047 #T1134.001 #T1665 #T1055.002 #T1070.010 #T1055.003 #T1027.014

Shares tags: T1082, T1059.003, T1140 • Same author: ENKI

« Back