Threat Research

Case of Larva-25004 Group (Related to Kimsuky) Exploiting Additional Certificate – Malware Signed with Nexaweb Certificate

Ahnlab
Case of Larva-25004 Group (Related to Kimsuky) Exploiting Additional Certificate – Malware Signed with Nexaweb Certificate

AhnLab Security Intelligence Center identified malware samples signed with a Nexaweb Inc. certificate, linked to the Kimsuky threat group and tracked as Larva-25004. The malware uses employment-related PDF bait targeting potential defense industry job seekers. #Kimsuky #Larva25004 #Nexaweb

Keypoints

  • AhnLab discovered malware signed with Nexaweb Inc.’s certificate, previously associated with a Korean company’s certificate.
  • The malware samples are tracked under the name Larva-25004, linked to the Kimsuky threat actor.
  • Two malicious files were identified: “Job Description (LM HR Division II).pdf.scr” and “Automation Manager JD(LM HR II).scr,” signed on May 24 and 28, 2024.
  • The malware displays a PDF file related to employment as a social engineering bait to lure victims.
  • The exact targets remain unknown, but the bait suggests targeting individuals interested in defense sector jobs.
  • No malware was found with the earlier Nexaweb certificate (serial number: 28ce4d33e7994c2be95816eea5773ed1), indicating the new certificate is used solely for these malware files.
  • AhnLab contacted Nexaweb to verify certificate ownership but received no confirmation yet.

MITRE Techniques

  • [T1204] User Execution – The malware uses a PDF employment document as bait to trick users into executing the malicious files (‘When the malware is executed, it displays a PDF file related to employment as a bait’).
  • [T1106] Execution through Signed Binary Proxy Execution – The malware samples are signed with a legitimate certificate issued to Nexaweb Inc., enabling stealthier execution (‘malware signed with the certification of Nexaweb Inc.’).

Indicators of Compromise

  • [File Hashes] Malware file hashes – 73d2899aade924476e58addf26254c2e, aa8936431f7bc0fabb0b9efb6ea153f9, and 27d4ff7439694041ef86233c2b804e1f.
  • [File Names] Malicious executable files used in attacks – Job Description (LM HR Division II).pdf.scr, Automation Manager JD(LM HR II).scr.
  • [Certificate] Nexaweb Inc. certificate serial number linked to the malware signing – 0315e137a6e2d658f07af454c63a0af2.

Read more: https://asec.ahnlab.com/en/88132/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint