Veraport’s abused supply chain attack, how do general users respond?

Financial organizations are seeking to spread ransomware to exploit widely used software deployment tools in the public sector.
Users removed while using version 3.8.5.0 are advised to update the new version for potential use.

Saturday, 21 November 2020, 15:50 GMT

Iranian hackers This applies to a technique of downloading malicious applications configured as usual software on the computer of a customer by invading the software installation and upgrade delivery phase of the enterprise. To send code-modified updates to a user’s Computer, it is possible to access a company update server, or target a client installed on a user’s PC to import malicious software and updates from an irregular server.

A supply chain attack has happened in Korea, which seems to be the act of Lazarus, a North Korean hacking organization. By using the integrated information delivery platform ‘VeraPort’, which is primarily used in the domestic financial market, the intruder attempted to spread malicious software.

Veraport is a web delivery platform used by domestic financial industries and public institutions on their homepages. It is a tool that installs and handles protection applications and plug-ins on the user’s PC at once, chosen by each organization and institution. If an organization implements this many types of security plug-ins may be mounted at once on the user’s PC, thus reducing the turnover rate in the utilization phase and simple management. For this purpose, for someone who has used Internet banking or Government 24 at least once on a PC, it is installed with a high likelihood.

The intruder used security tools and certificates which were leaked by hacking in the attack, according to security company ESET. In the case of Veraport, each software’s code sign certificate is checked to ensure that during the delivery process it is regular software. In order to trick it the intruder used a code sign certificate leaked from Alexis Security Community and the US branch of Dream Security. Modified malware called MaginLineNPIZ.exe and Delfine.exe is installed by Veraport after visiting a particular location (such as a financial phishing site) triggered by an intruder.

The intruder used encryption tools and credentials that were leaked by hacking in the attack, according to security firm ESET. In the case of Veraport, each software’s code sign certificate is checked to check that during the delivery process it is regular software. To trick it the intruder used a code sign certificate leaked from Alexis Security Community and the US branch of Dream Security. Modified program called MaginLineNPIZ.exe and Delfine.exe is installed by Veraport after visiting a particular site (such as a financial phishing site) triggered by an intruder.

The malicious program mounted on the user’s PC connects with the server control command to import additional commands and leaks device files from the user’s PC. In addition, Korean domains such as or.kr and co.kr are mostly used by the command control server, and in particular, fool-eye addresses such as ermpas (empas impersonation) and ikrea (Ikea impersonation) are used.

The Korea Internet & Security Agency (hereinafter referred to as KISA) has advised that Veraport security be modified by general users to avoid harm caused by such attacks. Security updates have already been issued to finance organizations and businesses who have already adopted Veraport, according to KISA. The version affected by this attack is 3.8.5.0, and you must delete it if you are using that version. In the future, in order to install the new version, you must access standard websites such as finance and public sectors.

You must first access the device configuration in order to verify and uninstall the Veraport version by entering ‘Add/Remove Programs’ in the search box at the bottom of the window. Find a name such as’Veraport (security module management program)’ in the list that appears later and press it to view the new version. The name or symbol can be somewhat different depending on the edition, but if the version is 3.8.5.0 or smaller, it must be removed without delay.