A concerning trend has emerged where malicious software is infiltrating systems through unauthorized antivirus updates. Recently, some eScan antivirus users fell victim to this attack, as detailed in a report from Avast.
The threat actor responsible, potentially linked to North Korea, exploited a vulnerability in the antivirus program to introduce a backdoor known as GuptiMiner.
This breach involved gaining an adversary-in-the-middle position on the target endpoint, allowing hackers to manipulate the virus definition update process. Consequently, malware was concealed within the update, enabling the execution of GuptiMiner through the antivirus program.
Understanding Kimsuki Attacks
Despite its name, GuptiMiner is not a cryptocurrency miner but a backdoor that assesses the system environment to evade detection. It is designed to disable antivirus and endpoint protection tools while deploying additional harmful payloads.
One such payload is XMRig, an authentic cryptocurrency miner. Avast has linked this attack to Kimsuki due to similarities with the Kimsuky keylogger, as both instances involve the use of the mygamesonline[.]org domain.
Apart from XMRig, Kimsuki also deploys an enhanced version of the Putty Link backdoor and a sophisticated modular malware capable of stealing valuable information like private keys and crypto wallet data. The primary targets appear to be prominent corporations.
Following the discovery of the attack campaign, eScan has addressed the vulnerability and reinforced its security mechanisms. In response to a previous incident in 2019, the company has implemented stringent checks to reject unsigned binaries, enhancing user protection.
It is imperative for eScan users to promptly update their antivirus programs to safeguard against Kimsuki’s ongoing activities targeting vulnerabilities in the system.
