Hackers Hijack Antivirus Updates to Drop Guptiminer Malware
Summary:
GuptiMiner, a malware tool reportedly used by North Korean hackers, has recently come into the spotlight due to its sophisticated capabilities and the manner in which it has been deployed. The attack vector involves exploiting vulnerabilities in the update mechanism of eScan antivirus software, allowing the attackers to plant backdoors and deploy cryptocurrency miners on targeted networks. One of the standout features of GuptiMiner is its ability to conduct DNS requests to communicate with the attackers' servers, enabling command and control functionalities. This allows the attackers to remotely control the malware-infected systems and exfiltrate sensitive data or issue further commands.
Moreover, GuptiMiner utilizes steganography techniques to extract payloads from images, a method that can evade traditional security measures as the malicious payloads are concealed within seemingly harmless files. This demonstrates a level of sophistication in the malware's design, making it challenging for antivirus programs to detect and mitigate effectively. Additionally, the malware employs DLL sideloading techniques, a tactic commonly used by advanced threat actors to bypass security mechanisms and execute malicious code within legitimate processes. By sideloading DLL files, GuptiMiner can gain elevated privileges and perform malicious activities without raising suspicion.
Security Officer Comments:
Furthermore, the attack chain involving GuptiMiner includes various evasion tactics, such as checking system specifications to avoid detection in sandbox environments and disabling security tools like AhnLab and Cisco Talos if they are present on the compromised system. These tactics showcase the malware's adaptability and the attackers' efforts to maintain persistence and avoid detection by security software.
Suggested Corrections:
IOCs:
https://github.com/avast/ioc/blob/master/GuptiMiner/network.txt
Avast researchers disclosed the exploited vulnerability to eScan and the antivirus vendor confirmed that the issue was fixed. Fortunately, a capable antivirus program can detect and remove threats like GuptiMiner. Running a comprehensive scan with an updated antivirus will help identify and mitigate the issue in case the system is compromised.
Link(s):
https://www.bleepingcomputer.com/ne...antivirus-updates-to-drop-guptiminer-malware/
https://decoded.avast.io/janrubin/g...for-distributing-backdoors-and-casual-mining/
GuptiMiner, a malware tool reportedly used by North Korean hackers, has recently come into the spotlight due to its sophisticated capabilities and the manner in which it has been deployed. The attack vector involves exploiting vulnerabilities in the update mechanism of eScan antivirus software, allowing the attackers to plant backdoors and deploy cryptocurrency miners on targeted networks. One of the standout features of GuptiMiner is its ability to conduct DNS requests to communicate with the attackers' servers, enabling command and control functionalities. This allows the attackers to remotely control the malware-infected systems and exfiltrate sensitive data or issue further commands.
Moreover, GuptiMiner utilizes steganography techniques to extract payloads from images, a method that can evade traditional security measures as the malicious payloads are concealed within seemingly harmless files. This demonstrates a level of sophistication in the malware's design, making it challenging for antivirus programs to detect and mitigate effectively. Additionally, the malware employs DLL sideloading techniques, a tactic commonly used by advanced threat actors to bypass security mechanisms and execute malicious code within legitimate processes. By sideloading DLL files, GuptiMiner can gain elevated privileges and perform malicious activities without raising suspicion.
Security Officer Comments:
Furthermore, the attack chain involving GuptiMiner includes various evasion tactics, such as checking system specifications to avoid detection in sandbox environments and disabling security tools like AhnLab and Cisco Talos if they are present on the compromised system. These tactics showcase the malware's adaptability and the attackers' efforts to maintain persistence and avoid detection by security software.
Suggested Corrections:
IOCs:
https://github.com/avast/ioc/blob/master/GuptiMiner/network.txt
Avast researchers disclosed the exploited vulnerability to eScan and the antivirus vendor confirmed that the issue was fixed. Fortunately, a capable antivirus program can detect and remove threats like GuptiMiner. Running a comprehensive scan with an updated antivirus will help identify and mitigate the issue in case the system is compromised.
Link(s):
https://www.bleepingcomputer.com/ne...antivirus-updates-to-drop-guptiminer-malware/
https://decoded.avast.io/janrubin/g...for-distributing-backdoors-and-casual-mining/