eScan Update Delivers Backdoors & Cryptominers
North Korean hackers exploited the eScan antivirus update mechanism to embed backdoors into corporate networks and disseminate cryptocurrency miners using the malicious software, GuptiMiner.
Cybersecurity firm Avast reports that the perpetrators conducted an adversary-in-the-middle (AitM) attack to intercept the standard virus definition update package, replacing it with a malicious file (updll62.dlz). This file contains both the antivirus updates and the GuptiMiner cryptominer as a DLL library (version.dll).
Once the update package is unpacked and executed, the DLL file is loaded through legitimate eScan binary files, granting the malware system-level privileges. The DLL then downloads additional malicious modules, secures its presence on the infected host, manipulates DNS settings, injects shellcode into legitimate processes, and performs other operations, including encrypting data in the Windows registry and extracting executable files from PNG images.
GuptiMiner also checks if the system has more than 4 CPU cores and 4 GB of RAM to avoid sandboxing, and detects whether analysis tools such as Wireshark, WinDbg, TCPView, 360 Total Security, Huorong Internet Security, Process Explorer, Process Monitor, and OllyDbg are active.
Researchers note that GuptiMiner may be linked to the North Korean hacker group Kimsuky, evidenced by the use of the domain “mygamesonline[.]org,” frequently employed in Kimsuky operations.
The report mentions that the hackers deployed multiple types of malware, including two different backdoors and the Monero mining software XMRig, possibly as a distraction from the primary attack.
Following the disclosure of the vulnerability, the antivirus manufacturer eScan confirmed that the issue had been resolved. eScan has also strengthened the authentication of binary files and shifted to using encrypted HTTPS connections for updates.
Despite these improvements, Avast continues to record new infections by GuptiMiner, which may indicate the use of outdated eScan client versions. A list of GuptiMiner indicators of compromise, which can aid in defending against this threat, is available on the GitHub page.