Vulnerable Software and Overview
MagicLine4NX is a non-ActiveX joint certificate program developed by the Korean company, Dream Security. Users can use MagicLine4NX to perform logins with a joint certificate and digitally sign transactions. This program is registered as a Startup Program and will be relaunched by a certain service (MagicLine4NXServices.exe) even if it is terminated. It remains constantly active as a process once it is installed, so it can be exposed to vulnerability attacks. Thus, it needs to be updated to the latest version.
Description of the Vulnerability
This vulnerability was first discovered and reported by AhnLab and the remote code execution vulnerability (RCE) can occur on vulnerable versions of MagicLine4NX.
Patch Target and Versions
MagicLine4NX versions 220.127.116.11-18.104.22.168
Vulnerability Exploitation Log (Lazarus)
AhnLab’s ASD (AhnLab Smart Defense) infrastructure confirmed the exploitation of this vulnerability. The threat actor exploited this vulnerability to perform an injection into the svchost.exe process before downloading and executing their malware.
Deletion procedure in the case a vulnerable version of MagicLineNX is installed
- How to check the version
- Go to [My Computer] – [Local Disk(C:\)] – [Program Files(x86)] – [DreamSecurity] – [MagicLine4NX]
- Right click on MagicLine4NX – Properties – Details – Check file version
- How to uninstall the program (select 1)
- [Start] – [System] – [Control Panel] – [Programs and Features] – Select MagicLineNX – Click [Uninstall]
- Go to [My Computer] – [Local Disk(C:\)] – [Program Files(x86)] – [DreamSecurity] – [MagicLine4NX] – Execute MagicLine4NX_Uninstall.exe
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.