Warning for MagicLine4NX (Certificate Solution) Vulnerability and Update Recommended

Malware Analysis
1

Vulnerable Software and Overview

MagicLine4NX is a non-ActiveX joint certificate program developed by the Korean company, Dream Security. Users can use MagicLine4NX to perform logins with a joint certificate and digitally sign transactions. This program is registered as a Startup Program and will be relaunched by a certain service (MagicLine4NXServices.exe) even if it is terminated. It remains constantly active as a process once it is installed, so it can be exposed to vulnerability attacks. Thus, it needs to be updated to the latest version.

Description of the Vulnerability

This vulnerability was first discovered and reported by AhnLab and the remote code execution vulnerability (RCE) can occur on vulnerable versions of MagicLine4NX.

Patch Target and Versions

MagicLine4NX versions 1.0.0.1-1.0.0.26

Vulnerability Exploitation Log (Lazarus)

AhnLab’s ASD (AhnLab Smart Defense) infrastructure confirmed the exploitation of this vulnerability.  The threat actor exploited this vulnerability to perform an injection into the svchost.exe process before downloading and executing their malware.

Figure 1. Vulnerability log from ASD

Solution

Deletion procedure in the case a vulnerable version of MagicLineNX is installed

  • How to check the version
    • Go to [My Computer] – [Local Disk(C:\)] – [Program Files(x86)] – [DreamSecurity] – [MagicLine4NX]
    • Right click on MagicLine4NX – Properties – Details – Check file version
Figure 2. Checking the MagicLine4NX version
  • How to uninstall the program (select 1)
    • [Start] – [System] – [Control Panel] – [Programs and Features] – Select MagicLineNX – Click [Uninstall]
    • Go to [My Computer] – [Local Disk(C:\)] – [Program Files(x86)] – [DreamSecurity] – [MagicLine4NX] – Execute MagicLine4NX_Uninstall.exe

[Detection]

Injection/MDP.Lazarus.M4503

[References]

  1. https://knvd.krcert.or.kr/detailSecNo.do?IDX=5887
  2. https://atip.ahnlab.com/ti/contents/security-advisory?i=f11a94eb-ac24-4feb-9552-3af49c8e6afd
  3. https://atip.ahnlab.com/ti/contents/issue-report/forensic?i=ab4b6510-f7b0-46ef-9cd3-3489348b2de4

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Warning for MagicLine4NX (Certificate Solution) Vulnerability and Update Recommended appeared first on ASEC BLOG.

Article Link: https://asec.ahnlab.com/en/50606/