North Korean hackers utilized the Escan antivirus update mechanism to infiltrate corporate networks and propagate cryptocurrency miners via the malicious Guptiminer.
According to IB company Avast reports, the attackers employed AITM-Atak (Adversary-in-The-Middle, Aitm Ataka) to intercept the standard virus update package and substitute it with a malicious file (UPDLLL62.DLZ), containing both antivirus updates and the crypto-miner Guptiminer in the form of DLL libraries (Version.dll).
Guptiminer Infection Chain
Upon unpacking and executing the update package, the DLL file is loaded via the legitimate binary files of Escan, granting malicious system privileges. Subsequently, the DLL loads additional malware, ensures stability on the infected host, alters DNS settings, injects Shell-code into legitimate processes, and carries out other operations such as encrypting data in the Windows registry and extracting executable files from PNG containers.
Guptiminer also verifies if the system has more than 4 cores and 4 GB of RAM to evade sandbox detection, and checks for the presence of various monitoring tools like WireShark, Windbg, TCPVIEW, 360 Total Security, Huorong Internet Security, Process Explorer, Process Monitor, and Ollydbg.
Researchers suggest that Guptiminer may be linked to the North Korean hacker group Kimsuky. The discovery of the “Mygamesonline [.] Org” domain, frequently used by Kimsuky, was also noted.
The report highlighted that hackers deployed multiple types of malicious software, including two distinct backdoors and the miner xmrig, potentially as a diversion tactic from the primary attack.
Following the vulnerability disclosure, the antivirus manufacturer Escan confirmed the issue has been addressed. Escan has also bolstered the validity of binary files and transitioned to encrypted HTTPS updates for enhanced security.
Despite these advancements, Avast continues to document new instances of Guptiminer infections, signaling potential utilization of outdated Escan versions by customers. A list of Guptiminer compromise indicators, aiding in defense against this threat, can be found here on GitHub.