Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

North Korean Hackers Hijack Antivirus Updates for Malware Delivery

A North Korea-linked threat actor hijacked the update mechanism of eScan antivirus to deploy backdoors and cryptocurrency miners.

A threat actor linked to North Korean advanced persistent threat (APT) actor Kimsuky has been observed hijacking the update mechanism of the eScan antivirus for malware delivery, Avast reports.

As part of the malware operation, referred to as GuptiMiner, the threat actor exploited a vulnerability in the eScan antivirus update mechanism and performed a man-in-the-middle (MitM) attack to replace the legitimate update package with a malicious one. eScan is a brand of India-based MicroWorld.

Once the antivirus unpacks and loads the malicious payload, a DLL is sideloaded to continue the infection chain, which involves multiple shellcodes and intermediary loaders. After being notified of the attacks last year, eScan told Avast that it had addressed the issue and hardened the update mechanism.

GuptiMiner, which has been around since at least 2018, is a sophisticated suite of malicious tools designed to deploy two backdoors on corporate networks: an enhanced build of PuTTY Link and a multi-modular threat that can install payloads and perform other actions based on received commands. An XMRig miner is also delivered as part of the operation.

“GuptiMiner isn’t merely another malware. It’s an orchestrated suite of malicious tools and cryptocurrency miners, designed to breach and lurk within large corporate networks. This operation is a masterclass in stealth and versatility,” Avast notes.

While one of the backdoors searches for vulnerabilities in older systems on the network to enable lateral movement over SMB, the other one searches for private keys and cryptocurrency wallets, and allows the attackers to deploy additional malicious components.

According to Avast, the earliest identified GuptiMiner sample is dated April 2018. Newer iterations contain several new functions and the installation mechanism has been modified entirely over time.

To intercept eScan’s requests for updates and deliver GuptiMiner instead, the threat actor exploited a missing HTTPS encryption and performed an MitM attack, likely using a previously deployed tool on the victim’s device or network.

Advertisement. Scroll to continue reading.

The malicious package delivered via the hijacked update contains a malicious DLL that is sideloaded by the antivirus and which is launched every time eScan runs. If a mutex is not found on the system, the malware then injects the next stage into a services.exe process.

GuptiMiner can manipulate the command line of the current process and can turn off Windows Defender. It creates a scheduled task, adds a root certificate to Windows’ store so it can use self-signed binaries, stores payloads in registry keys, and deploys the final payload during the system shutdown process.

The malware, Avast says, also uses an orchestrator to control the actions of the backdoors and XMRig miner, packs several anti-VM and anti-debugging tricks, extracts payloads from innocent-looking images, and performs DNS requests to the attackers’ servers.

Avast says it continues to observe new GuptiMiner infections, albeit eScan has implemented a mechanism to reject non-signed binaries and has switched to using HTTPS for client interaction with the update servers.

“According to our telemetry, we continue to observe new infections and GuptiMiner builds within our userbase. This may be attributable to eScan clients on these devices not being updated properly,” Avast concludes.

Related: Stealthy Cyberespionage Campaign Remained Undiscovered for Two Years

Related: North Korean Hackers Developing Malware in Dlang Programming Language

Related: US Sanctions North Korean Cyberespionage Group Kimsuky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights