New research reveals that a malware campaign that hijacks a popular antivirus solution to install backdoors into large corporate networks has been active since at least 2018.
Security specialist Avast has published a report detailing the infection chain of the GuptiMiner malware campaign and describing how its developers have perfected their obfuscation and delivery techniques over the years.
In July 2023, Avast discovered the GuptiMiner campaign targeting Indian antivirus software eScan, highlighting evidence indicating that the campaign had been active for at least five years, and likely longer.
The attack itself exploited a vulnerability in the eScan software update mechanism to distribute backdoors and coin miners to the targeted network.
The report described the GuptiMiner infection chain as highly sophisticated, employing a number of different offensive techniques, including sending DNS requests to the attacker's DNS servers, downloading DLLs, extracting payloads from image files apparently secure and signing payloads with a trusted, custom root anchor certificate authority. to avoid detection.
The exploitation of the eScan vulnerability is based on carrying out a man-in-the-middle attack, the report revealed, in which the threat actor takes over the update package and replaces it with a malicious version.
Avast researchers were unable to confirm how the threat actors were able to intercept the packets, speculating that the attacker had already compromised the target network to redirect traffic through their malicious intermediary.
Once the update package is successfully swapped, the eScan update process unzips and executes the package, after which the DLL is downloaded with clean eScan binaries to escalate the malware's privileges and continue the infection chain. .
Early versions of the GuptiMiner infection chain used a DNS manipulation technique to distribute the various payloads used in the attack, but Avast noted that the threat actors behind the campaign had abandoned this approach in favor of a masking technique. of IP addresses more efficient.
The attack often uses PNG images as a vehicle to deliver malicious shellcodes into the target network, disguising the payload which consisted of multiple backdoors and the XMRig crypto mining package.
Infostealer looks like the North Korean keylogger of the Kimsuky group
Avast said they found two examples of different backdoor variants distributed across victims' networks. The first of these is an improved version of the PuTTY Link command-line connection tool.
This improved PuTTY Link optimizes the build for scanning local SMB networks and ultimately facilitates lateral movement in the network with the potential to exploit Windows 7 and Windows Server 2008 machines by routing SMB traffic through the compromised device of the victim.
The other backdoor identified by Avast is a modular backdoor that specifically targets large corporate networks. This is made up of two distinct phases: first, the malware scans the victim's devices for private keys or valuable assets stored locally, and then the malware injects the backdoor in the form of shellcode.
The shellcode in question was designed to be multimodular, as it has the ability to add more modules to the execution flow. Once distributed, the backdoor decrypts an encrypted configuration that ensures it works as intended and remains undetected.
This setting provides details about which server to communicate with, which network port you should use, and the length of delays you should use between commands and requests.
Researchers suggested that the group behind the GuptiMiner campaign could be linked to the North Korean Kimsuky threat collective, after noticing a data stealer that had similarities to the PDB path used in a Kimsuky keylogger.
Avast disclosed the vulnerability to both eScan antivirus and the Indian computer emergency response team, India CERT, in 2023, exposing eScan's inability to identify the problem for at least five years.
According to the report, eScan confirmed that the issue was successfully fixed and resolved on July 31, 2023.
Avast said it has continued to see new GuptiMiner infections, however, indicating that customers continue to use outdated and vulnerable versions.
The security firm has uploaded a full list of Indicators of Compromise (IoC) to help recognize the GuptiMiner campaign on its GitHub page.