North Korea-Linked Hackers Exploit eScan Antivirus to Spread Malware and Mine Crypto
April 25, 2024Avast researchers discovered a malware campaign using eScan antivirus updates to distribute backdoors and cryptocurrency miners.
North Korea-linked AP Kimsuky group targeted large corporate networks with this sophisticated attack.
Attackers performed a man-in-the-middle attack exploiting a vulnerability in eScan's update mechanism to replace updates with malware.
The main payload was XMRig, a cryptocurrency miner, alongside the deployment of an information stealer likely from Kimsuky.
The compromised eScan update mechanism vulnerability existed for five years but was fixed after Avast's report on July 31, 2023.
GuptiMiner, the campaign's malware, used its own DNS servers to communicate, avoiding traditional DNS network detection.
The multi-stage infection process involved a Gzip loader to deploy the malware's core functions, including mining and backdoor access.
The use of a cryptocurrency miner might have been a decoy to distract from more malicious activities like data theft.
Summary based on 4 sources
Get a daily email with more Tech stories
Sources
TechRadar pro • Apr 24, 2024
Antivirus updates hijacked to drop dangerous malwareThe Hacker News • Apr 24, 2024
eScan Antivirus Update Mechanism Exploited to Spread Backdoors and MinersSecurityWeek • Apr 24, 2024
North Korean Hackers Hijack Antivirus Updates for Malware DeliverySecurity Affairs • Apr 24, 2024
Hackers hijacked the eScan Antivirus update mechanism in malware campaign