Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label antivirus updates. Show all posts

Hackers Utilize Antivirus Update Mechanism to Deploy GuptiMiner Malware

 

North Korean hackers have been utilizing the updating system of the eScan antivirus to infiltrate major corporate networks and distribute cryptocurrency miners via the GuptiMiner malware, according to researchers.

GuptiMiner, described as a highly sophisticated threat, possesses capabilities such as performing DNS requests to the attacker's DNS servers, extracting payloads from images, signing its payloads, and engaging in DLL sideloading.

The delivery of GuptiMiner through eScan updates involves a technique where the threat actor intercepts the normal virus definition update package and substitutes it with a malicious one labeled 'updll62.dlz.' This malicious file contains both the required antivirus updates and the GuptiMiner malware disguised as a DLL file named 'version.dll.'

Upon processing the package, the eScan updater unpacks and executes it as usual. At this stage, the DLL is sideloaded by legitimate eScan binaries, granting the malware system-level privileges.

Following this, the DLL retrieves additional payloads from the attacker's infrastructure, establishes persistence on the host through scheduled tasks, manipulates DNS settings, injects shellcode into legitimate processes, utilizes code virtualization, encrypts payloads in the Windows registry, and extracts PEs from PNGs.

To evade sandbox environments, GuptiMiner checks for systems with more than 4 CPU cores and 4GB of RAM, and it also detects the presence of certain security tools such as Wireshark, WinDbg, TCPView, and others, deactivating them if found.

Researchers from Avast suggest a potential link between GuptiMiner and the North Korean APT group Kimsuki, noting similarities in information stealing functions and the use of common domains.

The hackers deployed multiple malware tools, including enhanced versions of Putty Link as backdoors targeting Windows 7 and Windows Server 2008 systems, and a modular malware designed to scan for private keys and cryptocurrency wallets.

Additionally, the XMRig Monero miner was used in some instances, possibly to divert attention from the primary attack.

Following disclosure of the vulnerability to eScan, the antivirus vendor confirmed that the issue was addressed. eScan has implemented more robust checking mechanisms for updates and transitioned to HTTPS for secure communication with clients.

However, despite these measures, new infections by GuptiMiner persist, potentially indicating outdated eScan clients. A list of GuptiMiner indicators of compromise (IoCs) has been provided to aid defenders in mitigating this threat.