Vulnerable Software and Overview
TCO!Stream is an asset management solution developed by the Korean company, MLsoft. Consisting of a server and a client, administrators can use the console program to perform asset management work by accessing the server. TCO!Stream offers various features for asset management, but there is a process that runs constantly on the client in order to receive commands from the server. Commands are performed through this process. This management solution is exposed to vulnerability attacks that could exploit this program to execute codes remotely, so it must be updated to the most recent version.
Description of the Vulnerability
This vulnerability was first discovered and reported by AhnLab and the vulnerable versions of TCO!Stream are at risk of Remote Code Execution (RCE) vulnerability attacks.
Patch Target and Versions
TCO!Stream versions 8.0.22.1115 or earlier
Vulnerability Exploitation Log (Lazarus)
During the analysis process of a client company’s infiltration case, it was discovered that the TCO!Stream solution was exploited by a threat actor to execute their code remotely through multiple PCs and install backdoors.

Solution
Users must check their program version by following the steps below and update their program to the latest version (versions 8.0.23.215 or above).
– Service operator: Replace with the latest version through MLsoft
– Service user: Updated automatically when the operator switches to the latest version
[Detection]
Trojan/Win.Agent.C5356408 (2023.01.12.03)
[IOC]
MD5
– e7c9bf8bf075487a2d91e0561b86d6f5
[References]
- https://knvd.krcert.or.kr/detailSecNo.do?IDX=5881
- http://mlsoft.com/bbs/board.php?bo_table=54_1
- https://atip.ahnlab.com/ti/contents/asec-notes?i=11d64889-76f5-40a5-86d3-8319e1bef763
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Response Guide
[…] information: Warning for Asset Management Program (TCO!Stream) Vulnerability and Update Recommendation (Mar 23, 2023) Affected versions: 8.0.22.1115 and below Resolved version: […]
[…] active exploitation of security flaws in software such as INISAFE CrossWeb EX, MagicLine4NX, TCO!Stream, and VestCert that are widely used in South Korea to breach companies and deploy […]
[…] active exploitation of security flaws in software such as INISAFE CrossWeb EX, MagicLine4NX, TCO!Stream, and VestCert that are widely used in South Korea to breach companies and deploy […]
[…] active exploitation of security flaws in software such as INISAFE CrossWeb EX, MagicLine4NX, TCO!Stream, and VestCert that are widely used in South Korea to breach companies and deploy […]
[…] sömürü gibi yazılımlardaki güvenlik açıklarının INISAFE Çapraz Web EX, MagicLine4NX, Toplam Sahip Olma Maliyeti! AkışıVe VestCert Güney Kore’de şirketleri ihlal etmek ve kötü amaçlı yazılım dağıtmak […]
[…] active exploitation of security flaws in software such as INISAFE CrossWeb EX, MagicLine4NX, TCO!Stream, and VestCert that are widely used in South Korea to breach companies and deploy […]
[…] active exploitation of security flaws in software such as INISAFE CrossWeb EX, MagicLine4NX, TCO!Stream, and VestCert that are widely used in South Korea to breach companies and deploy malware.Sign up […]