Malware Takes Advantage of eScan Antivirus Software’s Update

escan, malware, Avast, GuptiMiner,

A sophisticated malware campaign has infiltrated the update mechanism of eScan antivirus software, wreaking havoc across major corporate networks.

  • Avast traced the first incident back to 2018.
  • Hackers exploited vulnerabilities in eScan’s updating process through a man-in-the-middle (MitM) attack, substituting legitimate updates with malicious ones.
  • GuptiMiner utilizes a complex infection chain and employs various techniques to ‘shackle’ itself to the system.

A malware campaign hijacked an eScan antivirus update to distribute harmful backdoors and cryptocurrency mining software across major corporate networks.

Cybersecurity company Avast traced the first incident back to 2018, enabling them to assess the malware, GuptiMiner’s level of sophistication. It is still unclear, however, who were the targets of the attack.

According to Avast’s report, the malware uses “an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.”

So, the hackers took advantage of the updating process of Indian antivirus vendor eScan and covertly delivered malware to unsuspecting users. Through a man-in-the-middle (MitM) attack, the attackers intercepted the updates, which were not signed and secured properly, and replaced them with malicious ones.

Once in, GuptiMiner goes about its business. Considering it is sideloaded through eScan’s legitimate binaries, it now has system-level privileges. As a result, the malware can then add more payloads – malicious code that causes harm to the targeted victim – from the attackers’ infrastructure. The attacker can then update the malware with new functionalities.

Beyond that, it uses scheduled tasks to persist in a system, which means the malware will automatically restart even after a reboot, therefore modifying the settings of the Domain Name System (DNS), which translates website names into IP addresses. The attacker can then redirect the victim’s traffic to malicious websites disguised as legitimate ones, among other things. Worst of all, the disruptive intruder can employ evasion tactics, making it difficult for security software to identify and remove the malware.

The GuptiMiner campaign employs several malicious tools, including two distinct backdoors and the XMRig Monero miner. These tools give the attackers remote access to compromised systems, enabling reconnaissance, lateral movement, and cryptocurrency mining activities.

Based on certain characteristics of the GupiMiner campaign, Avast researchers suspect it is connected to the North Korean APT group Kimsuki. Notably, GuptiMiner’s information-stealing functions have similarities with those of the Kimsuky keylogger.

Avast has notified eScan of the vulnerabilities, and proper measures were taken. But this doesn’t change the fact that for the last 5 years, the GupiMiner campaign has been exploiting a trusted security system. Organizations, big or small, rely on antivirus solutions for network protection. If vendors fail to secure their security software, how do businesses stay safe? Do they double up on Antivirus programs, despite experts recommending against that?

Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Cybersecurity sections to stay informed and up-to-date with our daily articles.