AhnLab SEcurity intelligence Center (ASEC) has discovered malware signed with the certification of Nexaweb Inc. by investigating a file with the same characteristics as the one signed with a Korean company’s certificate. These malware samples have been reported by other security companies about the activities of the Kimsuky group.

 

AhnLab is tracking them, naming them Larva-25004.

 

Malware Signed with the Nexaweb Certificate
 

Two files were discovered, and their MD5 hash values are as follows:

 

Job Description (LM HR Division II).pdf.scr : 73d2899aade924476e58addf26254c2e

Known as Automation Manager JD(LM HR II).scr: aa8936431f7bc0fabb0b9efb6ea153f9

 

These files were signed with the Nexaweb certificate (Serial number: 0315e137a6e2d658f07af454c63a0af2) on May 24 and 28, 2024.

 

 

When the malware is executed, it displays a PDF file related to employment as a bait.

 

 

The exact target is unknown, but considering that the document is a bait, it is likely to be intended for those interested in working for a defense company.

 

Nexaweb Certificate Still Unknown

 

No malware was found in the files signed with the certificate previously used by Nexaweb (Serial number: 28ce4d33e7994c2be95816eea5773ed1).

The certificate signed by the malware is only used to sign the two malware files and not used to sign other files. We have contacted Nexaweb to verify if the certificate is actually theirs, but we have not yet received a response.

MD5

27d4ff7439694041ef86233c2b804e1f

73d2899aade924476e58addf26254c2e

aa8936431f7bc0fabb0b9efb6ea153f9