Vulnerable Software and Overview
TCO!Stream is an asset management solution developed by the Korean company, MLsoft. Consisting of a server and a client, administrators can use the console program to perform asset management work by accessing the server. TCO!Stream offers various features for asset management, but there is a process that runs constantly on the client in order to receive commands from the server. Commands are performed through this process. This management solution is exposed to vulnerability attacks that could exploit this program to execute codes remotely, so it must be updated to the most recent version.
Description of the Vulnerability
This vulnerability was first discovered and reported by AhnLab and the vulnerable versions of TCO!Stream are at risk of Remote Code Execution (RCE) vulnerability attacks.
Patch Target and Versions
TCO!Stream versions 8.0.22.1115 or earlier
Vulnerability Exploitation Log (Lazarus)
During the analysis process of a client company’s infiltration case, it was discovered that the TCO!Stream solution was exploited by a threat actor to execute their code remotely through multiple PCs and install backdoors.

Solution
Users must check their program version by following the steps below and update their program to the latest version (versions 8.0.23.215 or above).
– Service operator: Replace with the latest version through MLsoft
– Service user: Updated automatically when the operator switches to the latest version
[Detection]
Trojan/Win.Agent.C5356408 (2023.01.12.03)
[IOC]
MD5
– e7c9bf8bf075487a2d91e0561b86d6f5
[References]
- https://knvd.krcert.or.kr/detailSecNo.do?IDX=5881
- http://mlsoft.com/bbs/board.php?bo_table=54_1
- https://atip.ahnlab.com/ti/contents/asec-notes?i=11d64889-76f5-40a5-86d3-8319e1bef763
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Response Guide