Warning for Certification Solution (VestCert) Vulnerability and Update Recommendation
Vulnerable Software and Overview
VestCert is a certification program used while accessing websites, and is a non-ActiveX module developed by the Korean company, Yettiesoft. This program is registered as a Startup Program and will be relaunched by Yettiesoft’s service (Gozi) even if it is terminated. It remains constantly active as a process once it is installed, so it can be exposed to vulnerability attacks. Thus, it needs to be updated to the latest version.
Description of the Vulnerability
This vulnerability was first discovered and reported by AhnLab and the remote code execution vulnerability (RCE) can occur on vulnerable versions of VestCert.
Patch Target and Versions
VestCert versions 2.3.6 – 2.5.29
Vulnerability Exploitation Log (Lazarus)
AhnLab’s ASD (AhnLab Smart Defense) infrastructure confirmed the exploitation of this vulnerability. The threat actor exploited this vulnerability to download and execute their malware.
This malware (winsync.dll) has similar features and appearance as the SCSKAppLink.dll file which was covered in a past post.
Additionally, both files were compiled by exploiting the open-source plugin, NotePad++, and the code routine for string decryption was also the same.
Solution
Users must check their program version by following the steps below and update their program to the latest version.
– Service operator: Replace with the latest version through Yettiesoft
– Service user: If a vulnerable version of VestCert is installed, uninstall and install the latest version
[1] Process Termination
– Must terminate ① Goji → ② VestCert in this order specifically from the Process tab of Task Manager
[2] Uninstall Installed Program
– Check the VestCert version in [Control Panel]-[Programs]-[Programs and Applications] and click “Uninstall”
[3] Reinstall Program
– Reinstall the resolved version of the program by accessing the financial website* you have been using
* Financial websites have different vulnerability patch schedules, so confirmation is required
Detection
Trojan/Win.LazarLoader.C5378117 (2023.02.08.03)
Execution/MDP.Powershell.M1185
[References]
- https://knvd.krcert.or.kr/detailSecNo.do?IDX=5881
- https://atip.ahnlab.com/ti/contents/asec-notes?i=11d64889-76f5-40a5-86d3-8319e1bef763
- https://www.yettiesoft.com/html/support/0502_faq.html
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
