A new malware operation has been exploiting the updating mechanism of the eScan antivirus program to disseminate backdoors and cryptocurrency miners like XMRig through a long-standing threat nicknamed GuptiMiner targeting major business networks.
Cybersecurity firm Avast claimed the activity is the work of a threat actor with probable connections to a North Korean hacker gang dubbed Kimsuky, which is also known as Black Banshee, Emerald Sleet, and TA427.
"GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker's DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others," Avast said.
The complicated and elaborate infection chain, at its core, utilizes a security flaw in the update procedure of Indian antivirus vendor eScan to distribute the malware by way of an adversary-in-the-middle (AitM) attack.
Specifically, it comprises hijacking the updates by substituting the package file with a malicious version by taking advantage of the fact that the downloads were not verified and encrypted via HTTPS. The issue, which went unreported for at least five years, has been addressed as of July 31, 2023.
The rogue DLL ("updll62.dlz") executed by the eScan software side-loads a DLL ("version.dll") to launch a multi-stage sequence starting with a PNG file loader that, in turn, leverages malicious DNS servers to contact a command-and-control (C2) server and acquire a PNG file with attached shellcode.
"GuptiMiner hosts their own DNS servers for serving true destination domain addresses of C&C servers via DNS TXT responses," researchers Jan Rubín and Milánek revealed.
"As the virus connects to the malicious DNS servers directly, the DNS protocol is totally disconnected from the DNS network. Thus, no legal DNS server will ever see the traffic from this malware."
The PNG file is then analyzed to extract the shellcode, which is then responsible for executing a Gzip loader that's designed to decompress another shellcode using Gzip and execute it in a separate thread.
The third-stage virus, nicknamed Puppeteer, pulls all the strings, finally deploying the XMRig cryptocurrency miner and backdoors on the affected PCs.
.webp)
Avast claimed it observed two different types of backdoors that come loaded with functionality that permit lateral movement, accept commands from the threat actor, and provide new components as required.
"The first is an enhanced build of PuTTY Link, providing SMB scanning of the local network and enabling lateral movement over the network to potentially vulnerable Windows 7 and Windows Server 2008 systems on the network," the researchers noted.
"The second backdoor is multi-modular, accepting commands from the attacker to install more modules as well as focusing on scanning for stored private keys and crypto wallets on the local system."
The deployment of XMRig has been described as "unexpected" for what's otherwise a complex and precisely planned operation, suggesting the potential that the miner operates as a distraction to keep victims from finding the true scope of the compromise.
GuptiMiner, known to be active since at least 2018, also makes use of various techniques like anti-VM and anti-debug tricks, code virtualization, dropping the PNG loader during system shutdown events, storing payloads in Windows Registry, and adding a root certificate to Windows' certificate store to make the PNG loader DLLs appear trustworthy.
The links to Kimusky come from an information stealer that, while not supplied by GuptiMiner or via the infection flow, has been used "across the whole GuptiMiner campaign" and shares overlaps with a keylogger previously discovered as exploited by the group.
It's presently not apparent who the targets of the operation are, however GuptiMiner artifacts have been submitted to VirusTotal from India and Germany as early as April 2018, with Avast telemetry data identifying new infections likely emanating from out-of-date eScan clients.
The discoveries came as the Korean National Police Agency (KNPA) called out North Korean hacking crews such as Lazarus, Andariel, and Kimsuky for targeting the defense industry in the country and exfiltrating vital data from some of them.
A report from the Korea Economic Daily revealed the threat actors accessed the networks of 83 South Korean defense contractors and obtained personal information from roughly 10 of them from October 2022 to July 2023.
