GuptiMiner Infects Machines Via Hijacked Antivirus Update

According to a recent report by Avast, a new malware campaign was discovered by the security firm’s researchers hijacking an eScan antivirus update mechanism to distribute backdoors and cryptocurrency mining malware.

The malware is currently being tracked as GuptiMiner and has been seen dropping popular crypto-miner XMRig.

GuptiMiner Infects Machines Via Hijacked Antivirus Update

It was also noted that GuptiMiner has been around in one form or another, with traces dating back to 2018. It cannot be ruled out that it might be older than the 2018 date provided.

Researchers discovered that GuptiMiner has possible links to Kimsuky, a notorious North Korean APT group. Similarities found between the Kimsuky keylogger and parts of the GuptiMiner operation were provided as evidence of such a leak.

Regarding GuptiMiner’s primary objectives, Avast security researchers noted,

The main objective of GuptiMiner is to distribute backdoors within big corporate networks. We’ve encountered two different variants of these backdoors: The first is an enhanced build of PuTTY Link, providing SMB scanning of the local network and enabling lateral movement over the network to potentially vulnerable Windows 7 and Windows Server 2008 systems on the network. The second backdoor is multi-modular, accepting commands from the attacker to install more modules as well as focusing on scanning for stored private keys and cryptowallets on the local system…Interestingly, GuptiMiner also distributes XMRig on the infected devices, which is a bit unexpected for such a thought-through operation.

One of the malware’s more notable features is its infection chain. In summary, threat actors behind GuptiMiner have been exploiting a vulnerability within an update mechanism of Indian antivirus vendor eScan to distribute the malware by performing a man-in-the-middle attack (MitM).

Avast disclosed this security vulnerability to eScan and the India CERT and received confirmation on 2023-07-31 from eScan that the issue was fixed and successfully resolved. Those using eScan are advised to ensure all relevant applications are updated.

MitM attacks are when a threat actor secretly intercepts and relays messages between two parties who believe they are communicating directly with each other. In practice, this is done by threat actors inserting themselves in the middle of data transactions or online communication.

Threat actors can then deliver malware to the victim, which is likely to bypass security controls as the machine sees the communication as being from a trusted source. MitM attacks are also commonly used to steal encrypted keys for authentication to steal sensitive information or facilitate bank fraud.

In the case of GuptiMiner, researchers summarized the MitM attack as follows,

The whole process starts with eScan requesting an update from the update server where an unknown MitM intercepts the download and swaps the update package with a malicious one. Then, eScan unpacks and loads the package and a DLL is sideloaded by eScan clean binaries.

XMRig and Backdoor Creation

Avast’s research goes into much more detail regarding the infection chain and makes for exciting reading, but it is beyond the scope of this article. That said, the deployment of additional malware and backdoors should be mentioned in this article.

The crypto mining malware XMRig is injected using a hacking tool called Puppeteer, which automates several processes to deploy malware better. Threat actors, in this instance, store XMRig configuration files in Puppeteer to make malware injection easier.

Puppeteer is used so extensively that once XMRig is deployed and mining cryptocurrency, it monitors CPU usage to keep XMRig mining activity to a minimum to help prevent the victim from thinking something is wrong.

Further, Puppeteer facilitates the creation of backdoors on infected machines. Several different methods of creating a backdoor onto an infected machine are used and covered by Avast in their research.

Of the backdoors discovered, two were of particular interest. The first provided SMB scanning of the local network, enabling lateral movement over the network to potentially exploit vulnerable Windows 7 and Windows Server 2008 systems on the network.

The second backdoor is multi-modular, accepting commands on the background to install more modules, as well as focusing on stealing stored private keys and crypto wallet addresses.

As for the possible ties to the APT group Kimsuky, researchers noted,

However, we haven’t seen it distributed by GuptiMiner and, according to our data, it doesn’t belong to the same operation and infection chain. This malware performs stealing activities like capturing every keystroke, harvesting HTML forms from opened browser tabs, noting times of opened programs, etc., and stores them in log files…What is truly interesting, however, is that this information stealer might come from Kimsuky operations. Also known as Black Banshee, among other aliases, Kimsuky is a North Korean state-backed APT group.

GuptiMiner should be considered dangerous as the malware developers have shown skills and knowledge in malware development and deployment.

The operation revealed that the attackers were deploying a vast chain of stages and functionalities, including performing DNS requests to the attacker’s DNS servers, sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal