April 24, 2024 at 03:51AM
A new malware campaign, called GuptiMiner, is using the eScan antivirus software’s updating mechanism to distribute backdoors and cryptocurrency miners, targeting large corporate networks. The campaign is linked to a North Korean hacking group Kimsuky. The malware uses sophisticated techniques and has evaded detection for at least five years. The targets and impact of the campaign are still unclear.
The meeting notes include details of a new malware campaign using the eScan antivirus software to distribute backdoors and cryptocurrency miners. The campaign, codenamed GuptiMiner, appears to have connections to a North Korean hacking group known as Kimsuky. The malware utilizes an elaborate infection chain to exploit a security flaw in eScan’s update mechanism. It involves DNS requests to attacker’s servers, sideloading, and extracting payloads from images, among other techniques. The malware also deploys rogue DLLs, multi-stage sequences, and a third-stage malware named Puppeteer to carry out its operations. Additionally, XMRig cryptocurrency miner and backdoors are deployed on infected systems. The campaign has also been associated with various stealth techniques and toolsets used by the group. The targets of the campaign appear to include large corporate networks and possibly the defense sector. The article suggests following for more exclusive content.