North Korean hackers have manipulated eScan antivirus updates to distribute GuptiMiner malware, a complex threat that engages in various malicious activities including DNS manipulation, payload extraction from images, and sideloading malicious DLLs. In a new report, Avast identifies this malware as part of a scheme where the hackers intercept antivirus updates to implant GuptiMiner into corporate systems.
The malware sideloads itself using eScan’s legitimate binaries, gaining system-level access, and then performs several sophisticated functions such as extracting payloads encrypted in the Windows registry and checking for system resources to avoid detection. Notably, it deactivates security products like AhnLab and Cisco Talos when detected on compromised machines.
Avast’s investigation links GuptiMiner to the North Korean APT group Kimsuki, suggesting a potential overlap in the malware’s functions and previous Kimsuki operations. The malware not only deploys cryptocurrency mining software like XMRig but also delivers advanced backdoors that seek out vulnerable systems for further exploitation.
eScan has since patched the exploited vulnerability and improved their security protocols, including ensuring all updates are downloaded over HTTPS. Despite these measures, Avast reports continued infections, indicating that some clients might still be using outdated versions of the software.