April 23, 2024 at 10:59AM
North Korean hackers have exploited the eScan antivirus updating mechanism to plant backdoors on corporate networks. Using malware named GuptiMiner, they perform DNS requests, extract payloads, and exploit system-level privileges via eScan updates. The hackers have deployed various malware tools, including backdoors and a cryptocurrency miner. Avast researchers identified and disclosed the vulnerability to eScan, urging defenders to mitigate the threat.
Based on the meeting notes, the key takeaways are:
1. North Korean hackers exploited the updating mechanism of eScan antivirus to deliver GuptiMiner malware and deploy backdoors on corporate networks.
2. GuptiMiner is described as a highly sophisticated threat capable of performing various malicious actions, including DNS manipulation, DLL sideloading, and extraction of payloads from images.
3. The attackers may be linked to the North Korean APT group Kimsuki, and they used GuptiMiner to deploy multiple malware, including backdoors and the XMRig Monero miner.
4. eScan has implemented fixes and improved its update mechanism to mitigate the vulnerability, but new infections by GuptiMiner are still being observed, possibly due to outdated eScan clients.
These takeaways provide a clear summary of the meeting notes and can guide further actions or discussions regarding the GuptiMiner threat and eScan’s response.