Antivirus updates hijacked to drop dangerous malware

Celebrity Gig

Imagine if your antivirus program infected your computer with malware – that’s exactly what happened to some eScan antivirus users recently.

A new report from Avast has explained how a threat actor, possibly of North Korean affiliation, used a vulnerability in the antivirus program to sideload a backdoor called GuptiMiner. 

Apparently, after obtaining an adversary-in-the-middle (AitM) position on the target endpoint, hackers were able to hijack the virus definition update, and have it carry malware, as well. The virus definition database would be updated as normal, but the antivirus program would also be abused to execute and run GuptiMiner.

READ ALSO:  Alibaba to upgrade Hong Kong listing amid profit drop

Kimsuki attacks

The backdoor’s name might be somewhat confusing, because this isn’t a miner – a piece of malicious code that secretly mines cryptocurrency for the attackers. GuptiMiner is a backdoor that analyzes the environment to see if it’s running in a sandbox, disables various antivirus and endpoint protection tools, and drops additional payloads.

Among those additional payloads is, ironically enough, XMRig – an actual cryptocurrency miner. 

READ ALSO:  Nigerian railway begins e-ticketing next week

Avast has attributed this attack to Kimsuki since GuptiMiner is quite similar to the Kimsuky keylogger. Furthermore, in both instances the mygamesonline[.]org domain was used. 

XMRig is not the only piece of malicious code that Kimsuki dropped on their targets. There was also an improved version of the Putty Link backdoor, as well as an unnamed, “complex modular malware” that steals private keys, crypto wallet information, and more. 

The targets seem to be mostly big corporations.

Since the discovery of the campaign, eScan was notified and has subsequently plugged the hole. According to BleepingComputer, the company also said it received a similar report back in 2019. A year later, it implemented a robust checking mechanism, to ensure the rejection of non-signed binaries.

In conclusion, eScan users should update their antivirus programs immediately, as Kimsuki is still going after those who didn’t patch up.

More from TechRadar Pro

Categories

Share This Article
Leave a comment