A new malware campaign has exploited the eScan antivirus software update mechanism to deploy backdoors and cryptocurrency miners like XMRig via a long-standing threat codenamed GuptiMiner that targets large corporate networks.
Cybersecurity firm Avast said the activity was the work of a threat actor with possible links to a North Korean hacking group nicknamed Kimsuky, also known as Black Banshee, Emerald Sleet and TA427.
“GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include making DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from images from ‘innocent appearance, signing its payloads with a trusted root anchor custom certificate authority, among others,’ Avast said.
The intricate and elaborate infection chain, in its essence, exploits a security gap in the update mechanism of Indian antivirus vendor eScan to propagate the malware via an Adversary-in-the-middle (AitM) attack.
Specifically, it involves hijacking updates by replacing the package file with a malicious version by exploiting the fact that the downloads were not signed and secured via HTTPS. The problem, which went unnoticed for at least five years, was resolved as of July 31, 2023.
The rogue DLL (“updll62.dlz”) executed by the eScan software sideloads a DLL (“version.dll”) to trigger a multi-step sequence that begins with a PNG file loader which, in turn, uses malicious DNS servers to contact a command and control (C2) server and retrieve a PNG file with shellcode attachment.
“GuptiMiner hosts its own DNS servers to provide true destination domain addresses of C&C servers via DNS TXT responses,” said researchers Jan Rubín and Milánek.
“Because the malware connects directly to malicious DNS servers, the DNS protocol is completely separate from the DNS network. Therefore, no legitimate DNS server will ever see traffic from this malware.”
The PNG file is then parsed to extract the shellcode, which is then responsible for running a Gzip loader designed to unpack another shellcode using Gzip and execute it in a separate thread.
The third-stage malware, nicknamed Puppeteer, pulls all the strings, eventually deploying the XMRig cryptocurrency miner and backdoors on infected systems.
Avast said it encountered two different types of backdoors that had features to allow lateral movement, accept commands from the threat actor, and provide additional components as required.
“The first is an improved version of PuTTY Link, which provides SMB scanning of the local network and allows lateral movement over the network to potentially vulnerable Windows 7 and Windows Server 2008 systems on the network,” the researchers explained.
“The second backdoor is multi-modular, accepting commands from the attacker to install multiple modules and focusing on scanning private keys and crypto wallets stored on the local system.”
The implementation of
GuptiMiner, known to be active since at least 2018, makes use of various techniques such as anti-VM and anti-debugging tricks, code virtualization, deleting the PNG loader during system shutdown events, storing payloads in the Windows registry, and adding of a root certificate. to the Windows certificate store to make the PNG loader DLLs appear trustworthy.
The links to Kimusky come from an information stealer that, while not distributed by GuptiMiner or via the infection stream, was used “throughout the entire GuptiMiner campaign” and shares overlaps with a keylogger previously identified as being used by the group.
It’s currently unclear who the campaign targets, but GuptiMiner artifacts were uploaded to VirusTotal from India and Germany as early as April 2018, with Avast telemetry data highlighting new infections likely originating from outdated eScan clients .
The findings come as the Korea National Police Agency (KNPA) reported North Korean hacking groups such as Lazarus, Andariel and Kimsuky for targeting the country’s defense sector and exfiltrating valuable data from some of them.
A report by the Korea Economic Daily says that threat actors penetrated the networks of 83 South Korean defense contractors and stole classified information from around 10 of them from October 2022 to July 2023.