A sophisticated malware campaign has been exploiting the update mechanism of eScan antivirus software to distribute backdoors and coinminers. The campaign, attributed to a threat actor potentially linked to the North Korean state-backed Kimsuky hacker group, targets large corporate networks.

The malware, dubbed ‘GuptiMiner’ by Avast researchers, employs a multifaceted infection chain leveraging various techniques to breach systems. GuptiMiner utilizes DNS requests to attacker-controlled servers, sideloading, payload extraction from innocuous-looking images, and signing payloads with a custom trusted root anchor certification authority, among other tactics.

“As the malware connects to the malicious DNS servers directly, the DNS protocol is completely separated from the DNS network. Thus, no legitimate DNS server will ever see the traffic from this malware. The DNS protocol is used here as a functional equivalent of telnet. Because of this, this technique is not a DNS spoofing since spoofing traditionally happens on the DNS network,” the researchers noted.

The primary objective of GuptiMiner is to deploy backdoors within corporate networks. Avast identified two distinct variants of the backdoors. The first variant enhances PuTTY Link, enabling SMB scanning and lateral movement across networks, particularly targeting vulnerable Windows 7 and Windows Server 2008 systems. The second variant is multi-modular, allowing attackers to install additional modules while focusing on scanning for stored private keys and cryptocurrency wallets on local systems.

GuptiMiner also distributes the XMRig cryptocurrency miner on infected devices through the final stage malware called ‘Puppeteer.’

The attackers exploit a vulnerability in the update mechanism of eScan antivirus, leveraging a man-in-the-middle attack to swap legitimate updates with malicious ones.

The infection process begins with eScan's request for an update, intercepted by hackers conducting the man-in-the-middle attack. The malicious update package is then unpacked and loaded by eScan, sideloading a DLL that triggers a series of steps, including shellcode execution and intermediary PE loaders.

According to Avast, eScan, an antivirus software vendor headquartered in India, has delivered updates over HTTP since at least 2019. On July 31, 2023, eScan confirmed that the vulnerability had been addressed and resolved.

Avast said it has identified potential ties between GuptiMiner, which has been around from at least 2018, and Kimsuky based on similarities between Kimsuky's keylogger and aspects of the GuptiMiner operation.

Earlier this week, South Korea's police have disclosed that North Korean hacking groups, including Lazarus, Kimsuky, and Andariel, have been carrying out extensive cyber attacks against South Korean defense companies for over a year, resulting in the breach of internal networks and theft of technical data.