eScan antivirus compromised, GuptiMiner malware deployed through updates

Malware attacks are becoming more common than ever. The latest in the series is eScan, an antivirus vendor with headquarters in India, compromised by threat actors to sideload the GuptiMiner malware on the end user’s PC.

Threat actors exploited eScan’s update process since it relied on HTTP to deliver updates, instead of the latest and more secure HTTPS protocol, to sideload the malware.

Researchers at Avast were the first to identify the vulnerability and share it with eScan. The latter acknowledged the loopholes in the update process and patched it on July 31, 2023.

Avast describes the GuptiMiner malware as,

GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others. The main objective of GuptiMiner is to distribute backdoors within big corporate networks.

The report also links the GuptiMiner malware to Kimsuky, a North Korean state-backed hacker group.

Breaking down the GuptiMiner attack through eScan’s updates

Threat actors employed the Man-in-the-Middle (MitM) attack to distribute the malware amongst unsuspecting users. It starts with the antivirus requesting an update package from the server, which threat actors intercept and replace with a malicious one

Although the malicious package contains the relevant updates, it also downloads an infected version.dll file, which has the same permissions as the antivirus. On subsequent reboots, the DLL downloads additional files from the threat actor’s server, at which point the PC is completely compromised.

Avast reports that the GuptiMiner malware also checks for any active Wireshark, WinDbg, TCPView, 360 Total Security, Huorong Internet Security, Process Explorer, and Process Monitor processes and terminates any instances of Cisco Talos Intelligence and AhnLab.

While the attack’s real motive remains unknown, it did sideload XMRig, a package for mining cryptocurrency. Other than that, the attack deployed two backdoors, one to scan the network for vulnerable systems and another to scan the PC for cryptocurrency wallets and stored private keys.

When BleepingComputer reached out to eScan for a comment, the latter confirmed receiving similar reports in 2019 and resolving it in 2020. Besides, it started facilitating downloads over HTTPS to utilize the encryption capabilities of the protocol.

If you are an eScan antivirus user, we recommend reaching out to the developers right away and enquire what changes could be implemented on your end for a safer experience.

The whole eScan GuptiMiner incident highlights that even antiviruses are prone to attacks. And while there’s no absolute protection, using an effective antivirus solution can lower the possibility of such attacks.

What’s your take on threat actors deploying GuptiMiner via eScan’s updates? Share with our readers in the comments section.