Analysis Summary

The recent discovery of North Korean hackers exploiting the updating mechanism of eScan antivirus software to infiltrate corporate networks with GuptiMiner malware underscores the evolving sophistication of cyber threats targeting high-value assets.

Researchers have identified GuptiMiner as a formidable tool capable of intricate maneuvers including DNS manipulation, payload extraction from images, and DLL sideloading. By leveraging an adversary-in-the-middle position, the threat actors hijacked eScan's update process, replacing legitimate updates with a malicious package containing GuptiMiner disguised as 'updll62.dlz.'

Once executed, GuptiMiner is stealthily sideloaded by eScan's legitimate binaries granting it system-level privileges. The malware then proceeds to fetch additional payloads from the attacker's infrastructure establish persistence via scheduled tasks, manipulate DNS settings inject shellcode into legitimate processes, and store encrypted payloads in the Windows registry. Notably, GuptiMiner employs evasion techniques such as checking system specifications to avoid detection in sandbox environments and deactivating security products running on infected machines.

The researchers suspect a link between GuptiMiner and the North Korean APT group Kimsuki citing similarities in information stealing functionality and domain usage. Moreover, deploying multiple malware tools including enhanced backdoors and Monero miners, suggests a coordinated and multifaceted attack strategy aimed at maximizing impact and extracting valuable assets. The attackers' deployment of XMRig miner alongside sophisticated backdoors may indicate a deliberate attempt to divert attention from their primary objectives.

In response to the disclosed vulnerability, eScan has implemented stricter security measures including HTTPS-based update downloads and enhanced binary validation to prevent similar exploits. However, the persistence of GuptiMiner infections suggests the existence of outdated eScan clients, emphasizing the criticality of timely updates and proactive security measures in mitigating emerging threats.

This incident underscores the importance of robust cybersecurity practices, continuous monitoring, and collaboration between security researchers and vendors to effectively identify and neutralize evolving threats. As cyber adversaries refine their tactics and exploit vulnerabilities in software infrastructure, organizations must remain vigilant and agile in defending against sophisticated attacks targeting their digital assets.

Impact

• Cryptocurrency Theft
• Unauthorized Access
• Security Bypass

Indicators of Compromise

SHA1

• 4bd7f794815a61b57a33d71ca745e9221d65f7a4
• 47d7135b31d9b4cfd000e0634c5bfe8a96968861
• 4e8c22ee9539a7f0d42e12bcef16a5d7e1191534
• 5aab2fe102b757a0dbaa66a54b4d31fb110e5e4f
• 4204fefa87ff3e5f04b18432976c46b6fe36500a
• fbc5986ca3d9448501d9453ed4fbb7b4ccb52a48

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.