eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners
25.4.24 Virus The Hacker News
A new malware campaign has been exploiting the updating mechanism of the eScan antivirus software to distribute backdoors and cryptocurrency miners like XMRig through a long-standing threat codenamed GuptiMiner targeting large corporate networks.
Cybersecurity firm Avast said the activity is the work of a threat actor with possible connections to a North Korean hacking group dubbed Kimsuky, which is also known as Black Banshee, Emerald Sleet, and TA427.
"GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker's DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others," Avast said.
The intricate and elaborate infection chain, at its core, leverages a security shortcoming in the update mechanism of Indian antivirus vendor eScan to propagate the malware by means of an adversary-in-the-middle (AitM) attack.
Specifically, it entails hijacking the updates by substituting the package file with a malicious version by taking advantage of the fact that the downloads were not signed and secured using HTTPS. The issue, which went unnoticed for at least five years, has been rectified as of July 31, 2023.
The rogue DLL ("updll62.dlz") executed by the eScan software side-loads a DLL ("version.dll") to activate a multi-stage sequence starting with a PNG file loader that, in turn, employs malicious DNS servers to contact a command-and-control (C2) server and fetch a PNG file with appended shellcode.
"GuptiMiner hosts their own DNS servers for serving true destination domain addresses of C&C servers via DNS TXT responses," researchers Jan Rubín and Milánek said.
"As the malware connects to the malicious DNS servers directly, the DNS protocol is completely separated from the DNS network. Thus, no legitimate DNS server will ever see the traffic from this malware."
The PNG file is then parsed to extract the shellcode, which is then responsible for executing a Gzip loader that's designed to decompress another shellcode using Gzip and execute it in a separate thread.
The third-stage malware, dubbed Puppeteer, pulls all the strings, ultimately deploying the XMRig cryptocurrency miner and backdoors on the infected systems.
Avast said it encountered two different types of backdoors that come fitted with features to enable lateral movement, accept commands from the threat actor, and deliver additional components as required.
"The first is an enhanced build of PuTTY Link, providing SMB scanning of the local network and enabling lateral movement over the network to potentially vulnerable Windows 7 and Windows Server 2008 systems on the network," the researchers explained.
"The second backdoor is multi-modular, accepting commands from the attacker to install more modules as well as focusing on scanning for stored private keys and crypto wallets on the local system."
The deployment of XMRig has been described as "unexpected" for what's otherwise a complex and meticulously executed operation, raising the possibility that the miner acts as a distraction to prevent victims from discovering the true extent of the compromise.
GuptiMiner, known to be active since at least 2018, also makes use of various techniques like anti-VM and anti-debug tricks, code virtualization, dropping the PNG loader during system shutdown events, storing payloads in Windows Registry, and adding a root certificate to Windows' certificate store to make the PNG loader DLLs appear trustworthy.
The links to Kimusky come from an information stealer that, while not distributed by GuptiMiner or via the infection flow, has been used "across the whole GuptiMiner campaign" and shares overlaps with a keylogger previously identified as utilized by the group.
It's currently not clear who the targets of the campaign are, but GuptiMiner artifacts have been uploaded to VirusTotal from India and Germany as early as April 2018, with Avast telemetry data highlighting new infections likely originating from out-of-date eScan clients.
The findings come as the Korean National Police Agency (KNPA) called out North Korean hacking crews such as Lazarus, Andariel, and Kimsuky for targeting the defense sector in the country and exfiltrating valuable data from some of them.
A report from the Korea Economic Daily said the threat actors penetrated the networks of 83 South Korean defense contractors and stole confidential information from about 10 of them from October 2022 to July 2023.