North Korean hackers have hijacked the updating mechanism of the eScan antivirus software to plant backdoors in major corporate networks and deliver cryptocurrency miners through what is known as GuptiMiner malware.
Cybersecurity experts describe GuptiMiner as a sophisticated threat capable of performing multiple malicious activities, such as DNS manipulation, payload extraction from images, and so much more.
How GuptiMiner Infects Systems?
According to a report by Avast, the hackers intercept the normal virus definition update process from eScan by positioning themselves in the middle of the communication channel, a method known as an adversary-in-the-middle (AitM) attack.
They substitute the legitimate update file with a tampered one named ‘updll62.dlz,’ which appears normal but contains the GuptiMiner malware disguised as a DLL file called ‘version.dll.’
When the eScan updater processes the package, it unwittingly executes the malware, giving it system-level access.
The malware then performs several invasive actions like fetching additional malicious payloads from the hackers’ servers, establishing persistence on the host device through scheduled tasks, manipulating DNS settings, etc.
The attack chain of GuptiMiner (Source: Avast)
GuptiMiner is designed to operate under the radar, initiating its mining operation only if the system has substantial resources (more than 4 CPU cores and 4GB of RAM). It also deactivates specific security tools and system monitors to avoid detection.
GuptiMiner’s operations and its stealth strategies suggest a sophisticated threat actor is at play, likely linked to the North Korean APT group known as Kimsuky. This connection is drawn from similarities in the tactics, techniques, and procedures (TTPs) used in previous Kimsuky operations.
Secondary Malware Deployed
Aside from deploying GuptiMiner, the attackers also install additional malware to further compromise the security of the affected networks. The first backdoor is a modified version of Putty Link scans for vulnerable systems within the corporate network, seeking out older Windows systems to exploit.
A complex modular malware is the second backdoor, which searches for private keys and cryptocurrency wallets on the host. It can install additional modules to expand its functionality, all controlled via the Windows registry.
The attackers also used the XMRig miner in their campaign, which seems unusual given the sophistication of the other malware tactics used. This could indicate that deploying XMRig might serve as a diversion, drawing attention away from their more strategic activities.
Response and Recommendations
Upon discovery, the vulnerability was reported to eScan, who has since implemented enhanced security measures, including the verification of digital signatures on binaries and secure HTTPS communication for update downloads. However, ongoing reports of infections indicate that some systems may still be using outdated versions of the software.
It is crucial for all eScan users to ensure their software is up-to-date to avoid falling victim to this malware. Additionally, organizations should consider deploying advanced network monitoring tools to detect and respond to unusual activity indicative of such compromise.
For cybersecurity teams looking to shield their networks from such threats, check out this comprehensive list of GuptiMiner’s indicators of compromise (IoCs).
Final Word
While GuptiMiner malware initially appears focused on simple tasks like cryptocurrency mining, its sophisticated backdoor capabilities reveal a deeper, strategic threat. Organizations must prioritize cybersecurity vigilance and updates to protect against these multifaceted attacks.
Anas Hasan
April 24, 2024
2 weeks ago
