Unveiling GuptiMiner: How the Malware Spread Through eScan Antivirus Updates

Experts at Avast discovered that North Korean hackers used the update mechanism of the Indian antivirus eScan to distribute the GuptiMiner malware, which they used to install backdoors in large corporate networks and deliver cryptocurrency miners.

Researchers describe GuptiMiner as a “highly sophisticated threat” capable of executing DNS queries to malicious servers, extracting payloads from images, signing its payloads, and performing DLL sideloading.

The authors of GuptiMiner used Man-in-the-Middle (MitM) attacks to intercept legitimate antivirus update packages (which had been delivered via HTTP since at least 2019) and replace them with a malicious file named updll62.dlz. This file contained necessary antivirus database updates as well as the GuptiMiner malware (in the form of a DLL file named version.dll).

Avast researchers were unable to determine how exactly the attackers managed the interception. It is assumed that the target networks were likely compromised in advance to redirect the traffic to the attackers.

After receiving the eScan update, the package was processed normally, unpacked, and executed. During this stage, DLL sideloading with legitimate eScan binaries occurred, ultimately granting the malware system-level privileges.

Subsequently, the DLL received additional payloads from the attackers’ infrastructure, persisted on the host through scheduled tasks, manipulated DNS, injected shellcode into legitimate processes, utilized code virtualization, stored encrypted XOR payloads in the Windows registry, and extracted PE from PNG files.

Additionally, GuptiMiner checked if the infected system had a processor with four or more cores, and 4 GB of RAM (to evade sandboxes), and detected the presence of Wireshark, WinDbg, TCPView, 360 Total Security, Huorong Internet Security, Process Explorer, Process Monitor, and OllyDbg. Protective products from AhnLab and Cisco Talos were also deactivated on the infected machine if running, and certain infection chains hid malicious code in images to make detection more difficult.

Avast researchers believe that GuptiMiner may be linked to the North Korean APT group Kimsuki. This assumption is based on the similarity between data theft and keylogging features with Kimsuky, as well as the use of the domain mygamesonline[.]org, which is frequently used in the group’s operations.

It is reported that hackers used GuptiMiner to deploy various malware in victim systems, including two different backdoors and the XMRig miner.

The first backdoor is an enhanced version of Putty Link, inserted into corporate systems to scan the local network for vulnerable systems and pivot points for lateral movement. This backdoor specifically targets systems running Windows 7 and Windows Server 2008, compromising them using SMB traffic tunneling.

The second backdoor is a complex modular malware that scans the host for stored private keys and cryptocurrency wallet data, as well as creates a registry key indicating scan completion to avoid “noisy” rescans. This backdoor can receive commands from its operators to install additional modules in the registry, further expanding its capabilities.

As mentioned earlier, in many cases, the attackers also installed the XMRig miner, but researchers believe it could be an attempt to divert attention from the main attack.

Avast specialists state that they have informed eScan developers and the Indian CERT about the issue, and the antivirus vendor confirmed that the threat has been mitigated.

eScan also mentioned that the last similar notification was received in 2019. In 2020, the manufacturer implemented a more robust verification mechanism to ensure that unsigned binaries are rejected. Additionally, in recent eScan implementations, updates are downloaded via HTTPS.

However, Avast warns that they continue to record new cases of GuptiMiner infections, which may indicate the use of outdated eScan clients.

0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment