Initech Product (INISAFE CrossWEB) Security Update Recommendation

Overview

A security update to patch the vulnerability of Initech’s INISAFE CrossWeb EX V3 has been announced. INISAFE CrossWeb EX V3 is a software program used for electronic financial transactions and financial security certification in the public sector. It is used by various companies and individuals for Internet banking, so it is essential for most users to check if the program is installed on their PC and update it to the latest version following the guide below.


Description

AhnLab Security Emergency response Center (ASEC) has been aware of malicious behaviors related to vulnerability processes being carried out by the Lazarus group, and this has been covered once before through the ASEC Blog in April of last year.

To summarize the details confirmed at the time, the malware SCSKAppLink.dll was injected into the inisafecrosswebsvc.exe process, which is the executable file of INISAFE CrossWeb EX V3. It then accessed the malware distribution platform, downloaded a downloader malware with the file name main_top[1].htm to the Internet temporary files folder, before copying it to a specific directory.

  • Download Path: c:\users\<User>\appdata\local\microsoft\windows\inetcache\ie\zlvrxmk3\main_top[1].htm
  • Copy Path: C:\Users\Public\SCSKAppLink.dll


Path Target and Versions

INISAFE CrossWeb EX V3 versions 3.3.2.41 or earlier


Solution

[1] Service operator: Replace with the latest version through Initech

  • INISAFE CrossWeb EX V3 3.3.2.41

[2] Product user: If a vulnerable version of INISAFE CrossWeb EX V3 is installed on the system, uninstall it and update to the recent version.

  • Check the INISAFE CrossWeb EX V3 version in [Control Panel]-[Programs]-[Programs and Applications] and click “Uninstall”

 

Detection Information and IOC

[File Detection]

  • Data/BIN.Encoded
  • Downloader/Win.LazarAgent
  • Downloader/Win.LazarShell
  • HackTool/Win32.Scanner
  • Infostealer/Win.Outlook
  • Trojan/Win.Agent
  • Trojan/Win.Akdoor
  • Trojan/Win.LazarBinder
  • Trojan/Win.Lazardoor
  • Trojan/Win.LazarKeyloger
  • Trojan/Win.LazarLoader
  • Trojan/Win.LazarPortscan
  • Trojan/Win.LazarShell
  • Trojan/Win.Zvrek
  • Trojan/Win32.Agent

[Behavior Detection]

  • InitialAccess/MDP.Event.M4242

The related IOC can be viewed in the past ASEC Blog post mentioned above.

    Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ for detailed analysis information.

    The post Initech Product (INISAFE CrossWEB) Security Update Recommendation appeared first on ASEC BLOG.

    Article Link: https://asec.ahnlab.com/en/50910/