Antivirus updates hijacked to drop dangerous malware

Image Credit: Pixabay (Image credit: Pixabay)

Imagine if your antivirus program infected your computer with malware - that’s exactly what happened to some eScan antivirus users recently.

A new report from Avast has explained how a threat actor, possibly of North Korean affiliation, used a vulnerability in the antivirus program to sideload a backdoor called GuptiMiner.

Apparently, after obtaining an adversary-in-the-middle (AitM) position on the target endpoint, hackers were able to hijack the virus definition update, and have it carry malware, as well. The virus definition database would be updated as normal, but the antivirus program would also be abused to execute and run GuptiMiner.

Kimsuki attacks

The backdoor’s name might be somewhat confusing, because this isn’t a miner - a piece of malicious code that secretly mines cryptocurrency for the attackers. GuptiMiner is a backdoor that analyzes the environment to see if it’s running in a sandbox, disables various antivirus and endpoint protection tools, and drops additional payloads.

Among those additional payloads is, ironically enough, XMRig - an actual cryptocurrency miner.

Avast has attributed this attack to Kimsuki since GuptiMiner is quite similar to the Kimsuky keylogger. Furthermore, in both instances the mygamesonline[.]org domain was used.

XMRig is not the only piece of malicious code that Kimsuki dropped on their targets. There was also an improved version of the Putty Link backdoor, as well as an unnamed, “complex modular malware” that steals private keys, crypto wallet information, and more.

The targets seem to be mostly big corporations.

Since the discovery of the campaign, eScan was notified and has subsequently plugged the hole. According to BleepingComputer, the company also said it received a similar report back in 2019. A year later, it implemented a robust checking mechanism, to ensure the rejection of non-signed binaries.

In conclusion, eScan users should update their antivirus programs immediately, as Kimsuki is still going after those who didn’t patch up.

More from TechRadar Pro

North Korean hacking group attacks ScreenConnect flaws to drop dangerous new malware
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.