A threat actor linked to North Korean advanced persistent threat (APT) actor Kimsuky has been observed hijacking the update mechanism of the eScan antivirus for malware delivery, Avast reports.
As part of the malware operation, referred to as GuptiMiner, the threat actor exploited a vulnerability in the eScan antivirus update mechanism and performed a man-in-the-middle (MitM) attack to replace the legitimate update package with a malicious one. eScan is a brand of India-based MicroWorld.
Once the antivirus unpacks and loads the malicious payload, a DLL is sideloaded to continue the infection chain, which involves multiple shellcodes and intermediary loaders. After being notified of the attacks last year, eScan told Avast that it had addressed the issue and hardened the update mechanism.
GuptiMiner, which has been around since at least 2018, is a sophisticated suite of malicious tools designed to deploy two backdoors on corporate networks: an enhanced build of PuTTY Link and a multi-modular threat that can install payloads and perform other actions based on received commands. An XMRig miner is also delivered as part of the operation.
“GuptiMiner isn’t merely another malware. It’s an orchestrated suite of malicious tools and cryptocurrency miners, designed to breach and lurk within large corporate networks. This operation is a masterclass in stealth and versatility,” Avast notes.
While one of the backdoors searches for vulnerabilities in older systems on the network to enable lateral movement over SMB, the other one searches for private keys and cryptocurrency wallets, and allows the attackers to deploy additional malicious components.
According to Avast, the earliest identified GuptiMiner sample is dated April 2018. Newer iterations contain several new functions and the installation mechanism has been modified entirely over time.
To intercept eScan’s requests for updates and deliver GuptiMiner instead, the threat actor exploited a missing HTTPS encryption and performed an MitM attack, likely using a previously deployed tool on the victim’s device or network.
The malicious package delivered via the hijacked update contains a malicious DLL that is sideloaded by the antivirus and which is launched every time eScan runs. If a mutex is not found on the system, the malware then injects the next stage into a services.exe process.
GuptiMiner can manipulate the command line of the current process and can turn off Windows Defender. It creates a scheduled task, adds a root certificate to Windows’ store so it can use self-signed binaries, stores payloads in registry keys, and deploys the final payload during the system shutdown process.
The malware, Avast says, also uses an orchestrator to control the actions of the backdoors and XMRig miner, packs several anti-VM and anti-debugging tricks, extracts payloads from innocent-looking images, and performs DNS requests to the attackers’ servers.
Avast says it continues to observe new GuptiMiner infections, albeit eScan has implemented a mechanism to reject non-signed binaries and has switched to using HTTPS for client interaction with the update servers.
“According to our telemetry, we continue to observe new infections and GuptiMiner builds within our userbase. This may be attributable to eScan clients on these devices not being updated properly,” Avast concludes.
Related: Stealthy Cyberespionage Campaign Remained Undiscovered for Two Years
Related: North Korean Hackers Developing Malware in Dlang Programming Language
Related: US Sanctions North Korean Cyberespionage Group Kimsuky
