Larva-25004 (Kimsuky 연관) 그룹의 추가 인증서 악용 사례 - Nexaweb 인증서로 서명된 악성코드
2025-05-22 • Ahnlab • Additional Certificate Abuse by Larva-25004 (Kimsuky-Linked): Malware Signed with a Nexaweb Certificate •
ASEC identified malware associated with Larva-25004, a group connected to previously reported Kimsuky activity, that was signed with a Nexaweb Inc. certificate. The two discovered SCR files were signed on May 24 and May 28, 2024, using certificate serial 0315e137a6e2d658f07af454c63a0af2. When executed, the malware shows a job-related PDF lure, and the bait suggests possible targeting of people interested in defense-industry employment. ASEC found no malware among files signed with Nexaweb's earlier certificate and noted that the suspicious certificate appeared only on the two malware files under review.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | aa8936431f7bc0fabb0b9efb6ea153f9 | 2024-06-19 | 2025-05-30 |
| HASH | 28ce4d33e7994c2be95816eea5773ed1 | 2025-05-22 | 2025-05-24 |
| HASH | 0315e137a6e2d658f07af454c63a0af2 | 2024-08-24 | 2025-05-24 |
| HASH | 73d2899aade924476e58addf26254c2e | 2024-06-19 | 2025-05-24 |