April 24, 2024 at 11:15AM
North Korean threat actor Kimsuky exploited eScan antivirus’s update mechanism in a malware operation known as GuptiMiner. This involved a man-in-the-middle attack to deliver a malicious payload, enabling the deployment of backdoors and cryptocurrency miners in corporate networks. Despite eScan’s efforts to address the issue, new GuptiMiner infections persist.
In the recent meeting, it was highlighted that a threat actor linked to the North Korean advanced persistent threat actor Kimsuky has been observed hijacking the update mechanism of eScan antivirus for delivering malware. This operation, known as GuptiMiner, involves exploiting a vulnerability in the eScan antivirus update mechanism and performing a man-in-the-middle attack to replace the legitimate update package with a malicious one. The malware operation includes a sophisticated suite of malicious tools designed to deploy backdoors on corporate networks and install payloads. Avast notes that the operation demonstrates stealth and versatility, with newer iterations containing several new functions and a modified installation mechanism. Despite eScan implementing a mechanism to reject non-signed binaries and switching to using HTTPS for client interaction with the update servers, new GuptiMiner infections continue to be observed. This may be due to eScan clients on these devices not being updated properly.
Additionally, it was pointed out in the meeting that the threat actor exploited a missing HTTPS encryption and performed a man-in-the-middle attack to intercept eScan’s requests for updates and deliver GuptiMiner instead. The delivered malicious package contains a malicious DLL sideloaded by the antivirus, which is launched every time eScan runs. The malware can manipulate the command line of the current process, turn off Windows Defender, create a scheduled task, add a root certificate to Windows’ store, store payloads in registry keys, and deploy the final payload during the system shutdown process.
It was also highlighted that Avast continues to observe new GuptiMiner infections, and the operation remains a significant concern for corporate networks.