Recently, a wave of malware attacks has surfaced, exploiting vulnerabilities in the update mechanism of the eScan antivirus software. This eScan antivirus backdoor exploit distributes backdoors and cryptocurrency miners, such as XMRig, posing a significant threat to large corporate networks. In this blog, we’ll look into the details of this eScan antivirus backdoor exploit and understand how it impacts businesses and their cybersecurity posture.
We’ll explore how to prevent malware through antivirus updates to safeguard your digital assets and sensitive information.
eScan Antivirus Backdoor Exploit: Intricate Infection Chain
A cybersecurity firm, Avast, has identified this eScan antivirus backdoor exploit, linking it to a sophisticated threat known as GuptiMiner. This threat demonstrates a high level of sophistication, utilizing complex infection chains and techniques to infiltrate systems. Notably, GuptiMiner has been associated with a North Korean hacking group called Kimsuky, also known as Black Banshee, Emerald Sleet, and TA427.
At the heart of this campaign lies a critical security flaw in the update mechanism of the eScan antivirus software. Attackers exploit this flaw through an adversary-in-the-middle (AitM) attack, hijacking legitimate updates and substituting them with malicious versions. What’s alarming is that the eScan update mechanism vulnerability went unnoticed for at least five years before it was rectified on July 31, 2023.
.ai-rotate {position: relative;}
.ai-rotate-hidden {visibility: hidden;}
.ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;}
.ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;}
.ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;}
The fake eScan updates malware employs a complex infection chain, starting with the execution of a rogue DLL (“updll62.dlz”) within the eScan software. This DLL then side-loads another DLL (“version.dll”), initiating a multi-stage sequence. The malware utilizes techniques such as DNS requests to attacker-controlled servers, sideloading, and payload extraction from innocuous-looking images, enhancing its evasiveness and persistence.
Unique Characteristics of GuptiMiner
GuptiMiner stands out due to its unique features, including hosting its own DNS servers to serve true destination domain addresses of command-and-control (C&C) servers. This ensures that the malware’s DNS traffic remains undetected by legitimate DNS servers, enhancing its stealth capabilities.
Once activated, GuptiMiner executes a series of payloads, ultimately deploying the XMRig cryptocurrency miner and backdoors on infected systems. The deployment of XMRig alongside sophisticated backdoors adds a layer of complexity to the operation, potentially serving as a distraction to conceal the true extent of the compromise.
Backdoors and Lateral Movement
Avast has identified two types of backdoors deployed by GuptiMiner, both equipped with features for lateral movement and remote command execution. These backdoors enable attackers to navigate through networks, scan for vulnerable systems, and install additional modules as needed. One of the backdoors, an enhanced build of PuTTY Link, facilitates SMB scanning and lateral movement to potentially vulnerable systems within the network.
Unforeseen Deployment And Advanced Evasion
The deployment of XMRig, a cryptocurrency miner, within the GuptiMiner operation has surprised researchers. This unexpected addition suggests that the miner may serve as a diversion, diverting attention from the more nefarious activities of the malware. By focusing on cryptocurrency mining, attackers may aim to obfuscate their true intentions and prolong their presence within compromised systems.
GuptiMiner employs various evasion techniques to avoid detection and analysis. These include anti-VM and anti-debug tricks, code virtualization, and storing payloads in the Windows Registry. Additionally, the malware adds a root certificate to Windows’ certificate store, enhancing the trustworthiness of its malicious DLLs.
Risks of Outdated Antivirus Software
The links between GuptiMiner and North Korean threat actors, particularly Kimsuky, raise concerns about the campaign’s objectives and targets. While the exact targets remain unclear, GuptiMiner artifacts have been traced back to India and Germany, with new infections likely originating from outdated eScan clients.
Impact on the Defense Sector
This patch eScan antivirus exploit campaign coincides with reports of North Korean hacking crews targeting the defense sector, particularly in South Korea. These threat actors have infiltrated the networks of defense contractors, exfiltrating confidential information and posing a significant risk to national security. So, beware of the threat posed by cryptominer malware through antivirus, which can compromise your system’s security.
Conclusion
The emergence of the eScan antivirus backdoor exploit underscores the evolving threat landscape and the importance of robust cybersecurity measures. Businesses must remain vigilant, regularly update their security software, and implement comprehensive defense strategies to mitigate the risk of sophisticated cyber attacks.
Explore secure alternatives to eScan for robust cybersecurity solutions and enhance business network security with eScan for comprehensive protection against cyber threats.. By staying informed and proactive, organizations can safeguard their networks and protect sensitive data from malicious actors.
The sources for this piece include articles in The Hacker News and Security Affairs.
The post Backdoors and Miners Amid eScan Antivirus Backdoor Exploit appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/backdoors-and-miners-amid-escan-antivirus-backdoor-exploit/
This post was originally published on the 3rd party site mentioned in the title of this this site