Initech Product (INISAFE CrossWEB) Security Update Recommendation
Overview
A security update to patch the vulnerability of Initech’s INISAFE CrossWeb EX V3 has been announced. INISAFE CrossWeb EX V3 is a software program used for electronic financial transactions and financial security certification in the public sector. It is used by various companies and individuals for Internet banking, so it is essential for most users to check if the program is installed on their PC and update it to the latest version following the guide below.
Description
AhnLab Security Emergency response Center (ASEC) has been aware of malicious behaviors related to vulnerability processes being carried out by the Lazarus group, and this has been covered once before through the ASEC Blog in April of last year.
To summarize the details confirmed at the time, the malware SCSKAppLink.dll was injected into the inisafecrosswebsvc.exe process, which is the executable file of INISAFE CrossWeb EX V3. It then accessed the malware distribution platform, downloaded a downloader malware with the file name main_top[1].htm to the Internet temporary files folder, before copying it to a specific directory.
- Download Path: c:\users\<User>\appdata\local\microsoft\windows\inetcache\ie\zlvrxmk3\main_top[1].htm
- Copy Path: C:\Users\Public\SCSKAppLink.dll
Path Target and Versions
INISAFE CrossWeb EX V3 versions 3.3.2.41 or earlier
Solution
[1] Service operator: Replace with the latest version through Initech
- INISAFE CrossWeb EX V3 3.3.2.41
[2] Product user: If a vulnerable version of INISAFE CrossWeb EX V3 is installed on the system, uninstall it and update to the recent version.
- Check the INISAFE CrossWeb EX V3 version in [Control Panel]-[Programs]-[Programs and Applications] and click “Uninstall”
- Refer to the following link to install the latest version of INISAFE CrossWeb EX V3 for the corresponding OS. Windows client (v3.3.2.41_32bit): http://demo.initech.com/initech/crosswebex_pack/3.3.2.41/INIS_EX_SHA2_3.3.2.41.exe
Detection Information
[File Detection]
- Data/BIN.Encoded
- Downloader/Win.LazarAgent
- Downloader/Win.LazarShell
- HackTool/Win32.Scanner
- Infostealer/Win.Outlook
- Trojan/Win.Agent
- Trojan/Win.Akdoor
- Trojan/Win.LazarBinder
- Trojan/Win.Lazardoor
- Trojan/Win.LazarKeyloger
- Trojan/Win.LazarLoader
- Trojan/Win.LazarPortscan
- Trojan/Win.LazarShell
- Trojan/Win.Zvrek
- Trojan/Win32.Agent
[Behavior Detection]
- InitialAccess/MDP.Event.M4242
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
