Warning for Asset Management Program (TCO!Stream) Vulnerability and Update Recommendation

Vulnerable Software and Overview

TCO!Stream is an asset management solution developed by the Korean company, MLsoft. Consisting of a server and a client, administrators can use the console program to perform asset management work by accessing the server. TCO!Stream offers various features for asset management, but there is a process that runs constantly on the client in order to receive commands from the server. Commands are performed through this process. This management solution is exposed to vulnerability attacks that could exploit this program to execute codes remotely, so it must be updated to the most recent version.

Description of the Vulnerability

This vulnerability was first discovered and reported by AhnLab and the vulnerable versions of TCO!Stream are at risk of Remote Code Execution (RCE) vulnerability attacks.

Patch Target and Versions

TCO!Stream versions 8.0.22.1115 or earlier

Vulnerability Exploitation Log (Lazarus)

During the analysis process of a client company’s infiltration case, it was discovered that the TCO!Stream solution was exploited by a threat actor to execute their code remotely through multiple PCs and install backdoors.

Solution

Users must check their program version by following the steps below and update their program to the latest version (versions 8.0.23.215 or above).
– Service operator: Replace with the latest version through MLsoft
– Service user: Updated automatically when the operator switches to the latest version

[Detection]

Trojan/Win.Agent.C5356408 (2023.01.12.03)

[IOC]

MD5
– e7c9bf8bf075487a2d91e0561b86d6f5

[References]

1. https://knvd.krcert.or.kr/detailSecNo.do?IDX=5881
2. http://mlsoft.com/bbs/board.php?bo_table=54_1
3. https://atip.ahnlab.com/ti/contents/asec-notes?i=11d64889-76f5-40a5-86d3-8319e1bef763

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.