A malware campaign hijacking a popular antivirus solution to plant backdoors on large corporate networks has been active since at least 2018, new research reveals.
Security specialist Avast has released a report detailing the infection chain of the GuptiMiner malware campaign, outlining how its developers have refined their obfuscation and delivery techniques over the years.
In July 2023, Avast uncovered the GuptiMiner campaign targeting the Indian antivirus software eScan, highlighting evidence indicating the campaign had been active for at least five years, and likely longer.
The attack itself leveraged a vulnerability in the eScan software’s update mechanism in order to distribute backdoors and coinminers on the target network.
The report described the GuptiMiner infection chain as highly sophisticated, employing a number of different offensive techniques including sending DNS requests to the attacker’s DNS servers, DLL sideloading, extracting payloads from seemingly safe image files, and signing payloads with a custom trusted root anchor certification authority to avoid detection.
Exploiting the eScan vulnerability relies on performing a man-in-the-middle attack, the report revealed, where the threat actor seizes the update package and replaces it with a malicious version.
Avast researchers were unable to confirm how the threat actors were able to intercept the packages, speculating the attacker had already compromised the target network in order to redirect traffic through its malicious middleman.
With the update package successfully swapped out, the eScan update process unpacks and executes the package, after which the DLL is sideloaded with clean eScan binaries to escalate the malware’s privileges to continue the infection chain.
Early versions of the GuptiMiner infection chain used a DNS manipulation technique to distribute the various payloads used in the attack, but Avast noted the threat actors behind the campaign had abandoned this approach in favor of a more efficient IP address masking technique.
The attack often uses PNG images as a vehicle to deliver the malicious shellcodes on the target network, disguising the payload that consisted of multiple backdoors and the XMRig cryptomining package.
Infostealer bears resemblance to North Korean Kimsuky group keylogger
Avast said they found two examples of different variants of backdoors being distributed on victim’s networks. The first of these is an enhanced build of the command-line connection tool PuTTY Link.
This enhanced PuTTY Link optimizes the build for local SMB network scanning, and ultimately facilitates lateral movement on the network with the potential to exploit Windows 7 and Windows Server 2008 machines by routing SMB traffic through the victim’s compromised device.
The other backdoor identified by Avast is a modular backdoor that specifically targets huge corporate networks. This is made up of two distinct phases - first the malware scans the victim’s devices for any private keys or valuable assets stored locally, and then the malware injects the backdoor in the form of a shellcode.
The shellcode in question was designed to be multi-modular in that it has the capacity to add more modules to the execution flow. Once distributed, the backdoor decrypts a hardcoded config that ensures that it functions as intended and is not detected.
This configuration provides details on which server to communicate with, which network port it should use, and the length of delays it should use between commands and requests.
Researchers suggested the group behind the GuptiMiner campaign could be linked to the North Korean Kimsuky threat collective, after noticing an information stealer that bore similarities with the PDB path used in a Kimsuky keylogger.
Avast disclosed the vulnerability to both eScan antivirus and the Indian computer emergency response team, India CERT, in 2023, exposing eScan’s failure to identify the issue for at least five years.
According to the report, eScan confirmed the issue was fixed and successfully resolved on 31 July 2023.
Avast said that it has continued to observe new infections by GuptiMiner, however, indicating customers continue to use outdated, vulnerable versions.
The security firm has uploaded a complete list of indicators of compromise (IoC) to help recognize the GuptiMiner campaign to its GitHub page.
