HQ/EMEAFind out how we can help your business
North Korean hackers have been utilising the updating system of eScan antivirus to attach backdoors into major corporate networks and deploy cryptocurrency miners using the GuptiMiner malware.
According to researchers, GuptiMiner is a highly advanced threat capable of executing DNS requests to the attacker’s DNS servers, extracting payloads from images, signing its payloads, and performing DLL sideloading.
The North Korean hackers used AiTM to distribute the GuptiMiner malware.
The threat actor responsible for GuptiMiner malware utilised an adversary-in-the-middle (AitM) position to intercept the regular virus definition update package and substitute it with a malicious one named ‘updll62.dlz.’
This malicious file contains the required antivirus updates and GuptiMiner malware disguised as a DLL file named ‘version.dll.’
Upon processing the package, the eScan updater unpacks and executes it as usual, resulting in the sideloading of the DLL by eScan’s legitimate binaries, granting the malware system-level privileges.
Subsequently, the DLL retrieves additional payloads from the attacker’s infrastructure, establishes persistence on the host via scheduled tasks, manipulates DNS, injects shellcode into legitimate processes, utilises code virtualisation, encrypts payloads using XOR and stores them in the Windows registry, and extracts PEs from PNGs.
To evade sandbox environments, GuptiMiner checks for systems with more than 4 CPU cores and 4GB of RAM and identifies if specific security tools and debuggers are active.
In addition, the researchers suggest a potential link between GuptiMiner and the North Korean APT group Kimsuki, based on similarities in information stealing functions and the use of the domain mygamesonline[.]org.
The hackers employed GuptiMiner to deploy malware on compromised systems, including two distinct backdoors and the XMRig Monero miner.
The first backdoor is an advanced version of Putty Link, utilised to scan local networks for vulnerable systems and pivot points for lateral movement, mainly targeting Windows 7 and Windows Server 2008 systems.
The second backdoor is a sophisticated modular malware designed to search for stored private keys and cryptocurrency wallets on the host, creating a registry key upon completion of the scan to avoid detection.
This malware can receive commands to install additional modules in the registry, enhancing its capabilities within infected environments. Additionally, the attackers sometimes deployed the XMRig miner, potentially as a distraction from the primary attack.
As of now, organisations that employ eScan should be vigilant with their digital presence as they are targeted by a notorious cybercriminal group backed by one of the most hostile countries in the world.
