Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Antivirus updates hijacked to drop dangerous malware

Skull and Bones.

Imagine if your antivirus program infected your computer with malware - that’s exactly what happened to some eScan antivirus users recently.

A new report from Avast has explained how a threat actor, possibly of North Korean affiliation, used a vulnerability in the antivirus program to sideload a backdoor called GuptiMiner. 

Apparently, after obtaining an adversary-in-the-middle (AitM) position on the target endpoint, hackers were able to hijack the virus definition update, and have it carry malware, as well. The virus definition database would be updated as normal, but the antivirus program would also be abused to execute and run GuptiMiner.

Kimsuki attacks

The backdoor’s name might be somewhat confusing, because this isn’t a miner - a piece of malicious code that secretly mines cryptocurrency for the attackers. GuptiMiner is a backdoor that analyzes the environment to see if it’s running in a sandbox, disables various antivirus and endpoint protection tools, and drops additional payloads.

Among those additional payloads is, ironically enough, XMRig - an actual cryptocurrency miner. 

Avast has attributed this attack to Kimsuki since GuptiMiner is quite similar to the Kimsuky keylogger. Furthermore, in both instances the mygamesonline[.]org domain was used. 

XMRig is not the only piece of malicious code that Kimsuki dropped on their targets. There was also an improved version of the Putty Link backdoor, as well as an unnamed, “complex modular malware” that steals private keys, crypto wallet information, and more. 

The targets seem to be mostly big corporations.

Since the discovery of the campaign, eScan was notified and has subsequently plugged the hole. According to BleepingComputer, the company also said it received a similar report back in 2019. A year later, it implemented a robust checking mechanism, to ensure the rejection of non-signed binaries.

In conclusion, eScan users should update their antivirus programs immediately, as Kimsuki is still going after those who didn’t patch up.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.