Lazarus threat group is actively exploiting multiple vulnerabilities in Korean software, including VestCert and TCO!Stream, as well as previously targeted INISAFE CrossWeb EX and MagicLine4NX, to deploy malware and propagate internally. Despite patches and advisories, many systems remain vulnerable due to non-auto-update behavior and the need for manual reinstalls. #Lazarus #VestCert
Keypoints
- The Lazarus threat group is exploiting vulnerabilities in INISAFE CrossWeb EX and MagicLine4NX, and has expanded to zero-day vulnerabilities in VestCert and TCO!Stream.
- VestCert is a non-ActiveX web security tool from Yettiesoft, and TCO!Stream is an asset-management product from MLsoft, both widely used in Korea.
- Attackers use watering hole attacks: vulnerable VestCert users visiting a compromised site trigger PowerShell execution via a third-party library vulnerability.
- Malware downloaded via the VestCert vulnerability includes a backdoor/downloader chain (e.g., loadconf.exe) and is executed to establish control.
- Internal propagation occurs through the TCO!Stream vulnerability, with server-client communications on TCP port 3511 guiding the download and execution of malicious files.
- Security advisories were reported to KISA, patches issued, but auto-updates are not enabled, necessitating manual uninstallation and reinstallation in many deployments.
MITRE Techniques
- [T1189] Watering Hole – Initial breach via compromised website injection that leads to PowerShell execution. Quote: ‘When users with vulnerable versions of VestCert installed on their Windows systems visit a specific website that has been injected with a malicious script…’
- [T1059.001] PowerShell – Execution triggered by a VestCert vulnerability: ‘PowerShell is executed due to a third-party library execution vulnerability in the VestCert software.’
- [T1071.001] Web Protocols – C2 communications whereby PowerShell connects to a C2 server to download and execute malware. Quote: ‘PowerShell then connects to a C2 server to download and execute malware.’
- [T1571] Non-Standard Port – Internal communication uses a non-standard port (TCP 3511). Quote: ‘the client is always listening to the TCP 3511 port.’
- [T1105] Ingress Tool Transfer – Command packets instruct the client to download and execute a malicious file from the server. Quote: ‘The threat group, utilizing their own developed malware, generates command packets and sends them to the client. These command packets instruct the client to download and execute the malicious file that the threat group has prepared in advance.’
- [T1055] Process Injection – Malware execution involves injection as part of Lazarus activity. Quote: ‘Injection/EDR.Lazarus.M10965’
Indicators of Compromise
- [File Path] C:Packages – example of where the distributed file is placed
- [File Path] C:Temploadconf.exe – example run path for backdoor downloader
- [Port] TCP 3511 – port used for TCO!Stream client-server communication
- [URL] hxxps://www.gongsilbox[.]com/board/bbs.asp – malicious website indicator
- [URL] hxxp://www.sinae.or[.]kr/sub01/index.asp – malicious URL indicator
- [File Name] WinSync.dll – malware component downloaded via VestCert vulnerability
- [File Name] MicrosoftVSA.bin – one of the malware payloads listed
- [MD5/SHA1] E73EAB80B75887D4E8DD6DF33718E3A5, BA741FA4C7B4BB97165644C799E29C99, 064D696A93A3790BD3A1B8B76BAAEEF3, 8ADEEB291B48C97DB1816777432D97FD, 67D306C163B38A06E98DA5711E14C5A7, C09B062841E2C4D46C2E5270182D4272 (example hashes including multiple variants)
Read more: https://asec.ahnlab.com/en/54195/