VeraPort (WIZVERA) - isotope¹³

Incident Summary

VeraPort plugin pushed malware South Korea.

VeraPort, an integrated installation program by WIZVERA, commonly used in South Korea for secure access to government and financial websites, was abused. Its browser plugin mechanism was compromised or leveraged to prompt users to install malware, sometimes signed with stolen digital certificates, effectively turning a trusted security tool into a malware distribution vector. One of the key English-language references detailing this attack is no longer accessible.

Date: 2020-11-01 to 2020-12-31
Category: Commercial
Target Surface: Distribution
Insertion Phase: distribution
Impact: Backdoor
Cause: Compromised update/plugin mechanism

What Was Affected

Package VeraPort (WIZVERA)

LanguageVarious

ComponentApplication

Artifact typebinary archive

Domain typeproject download host

Domain wizvera.com

Compromised Versions

Various versions active during the compromise period

Incident Context

Motive: Espionage
Attribution: Cybercriminal Gang
Transitive: No
Observed Duration: 60 days

Evidence

Compromised Artifacts

VeraPort software from wizvera.com, whose plugin update mechanism was abused to distribute malware to users in South Korea during late 2020.

Current Artifacts and Analysis

https://blog.alyac.co.kr/3547 (Korean - details VeraPort related malware distribution)

Source Data

Source record: proprietary/veraport/meta.yaml