Overview
A security update to patch the vulnerability of Initech’s INISAFE CrossWeb EX V3 has been announced. INISAFE CrossWeb EX V3 is a software program used for electronic financial transactions and financial security certification in the public sector. It is used by various companies and individuals for Internet banking, so it is essential for most users to check if the program is installed on their PC and update it to the latest version following the guide below.
Description
AhnLab Security Emergency response Center (ASEC) has been aware of malicious behaviors related to vulnerability processes being carried out by the Lazarus group, and this has been covered once before through the ASEC Blog in April of last year.
To summarize the details confirmed at the time, the malware SCSKAppLink.dll was injected into the inisafecrosswebsvc.exe process, which is the executable file of INISAFE CrossWeb EX V3. It then accessed the malware distribution platform, downloaded a downloader malware with the file name main_top[1].htm to the Internet temporary files folder, before copying it to a specific directory.
- Download Path: c:\users\<User>\appdata\local\microsoft\windows\inetcache\ie\zlvrxmk3\main_top[1].htm
- Copy Path: C:\Users\Public\SCSKAppLink.dll
Path Target and Versions
INISAFE CrossWeb EX V3 versions 3.3.2.41 or earlier
Solution
[1] Service operator: Replace with the latest version through Initech
- INISAFE CrossWeb EX V3 3.3.2.41
[2] Product user: If a vulnerable version of INISAFE CrossWeb EX V3 is installed on the system, uninstall it and update to the recent version.
- Check the INISAFE CrossWeb EX V3 version in [Control Panel]-[Programs]-[Programs and Applications] and click “Uninstall”
- Refer to the following link to install the latest version of INISAFE CrossWeb EX V3 for the corresponding OS.
Windows client (v3.3.2.41_32bit): http://demo.initech.com/initech/crosswebex_pack/3.3.2.41/INIS_EX_SHA2_3.3.2.41.exe
Detection Information and IOC
[File Detection]
- Data/BIN.Encoded
- Downloader/Win.LazarAgent
- Downloader/Win.LazarShell
- HackTool/Win32.Scanner
- Infostealer/Win.Outlook
- Trojan/Win.Agent
- Trojan/Win.Akdoor
- Trojan/Win.LazarBinder
- Trojan/Win.Lazardoor
- Trojan/Win.LazarKeyloger
- Trojan/Win.LazarLoader
- Trojan/Win.LazarPortscan
- Trojan/Win.LazarShell
- Trojan/Win.Zvrek
- Trojan/Win32.Agent
[Behavior Detection]
- InitialAccess/MDP.Event.M4242
The related IOC can be viewed in the past ASEC Blog post mentioned above.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ for detailed analysis information.
Categories:Response Guide