21610B4457689B7331.pdf (590 KB)

South Korean investigators said a North Korean hacking organization compromised a financial information security company, stole its code-signing certificate, and used it to make malware appear as legitimate software from that vendor. The intrusion began with malware on the company’s internal servers, spread to employee PCs where the certificate was stored, and later used the stolen certificate to sign malware placed on an academic association website server. On February 11, 2016, that server distributed the signed malware to 19 PCs across 10 organizations, with capabilities described as stealing stored information and downloading additional malware. Investigators cited North Korean IP connections to the company server and malware C2, a C2 domain containing “dprk,” and related email evidence, including a lure titled about inter-Korean unification and a mailbox linked to the Uriminzokkiri site. Rapid certificate revocation, network isolation, malware removal, and antivirus updates reportedly prevented further leakage from public-sector networks.