Advanced Threats and Protections

GuptiMiner: Hijacking Antivirus Updates to Deploy Backdoors and Cryptocurrency Miners

April 24, 2024 by

GuptiMiner, a sophisticated malware campaign, exploited vulnerabilities in the update mechanism of eScan antivirus software to distribute backdoors and cryptocurrency miners.

The attackers, possibly tied to the North Korean APT group Kimsuky, performed a man-in-the-middle attack to replace legitimate updates with malicious payloads.

The campaign, active since at least 2018, targeted large corporate networks and went undetected for five years due to eScan’s insecure update process, which used HTTP instead of HTTPS.

Avast researchers disclosed the vulnerability to eScan and India CERT, and eScan confirmed the issue was resolved on July 31, 2023.

Impact Assessment

The GuptiMiner malware campaign has the potential to cause significant harm to affected organizations, leading to various consequences:

  • Financial Losses: Unauthorized Cryptocurrency Mining: GuptiMiner’s cryptocurrency mining capabilities can result in substantial financial losses for affected organizations. By utilizing the compromised systems’ computational resources to mine Monero, the attackers effectively steal electricity and processing power, leading to increased operational costs and reduced system performance.
  • Productivity Losses: The unauthorized mining activities can slow down the compromised systems, affecting employee productivity and potentially disrupting business operations. This can result in lost revenue and opportunities for the affected organizations.
  • Data Exfiltration and Privacy Concerns: Sensitive Information Theft: GuptiMiner’s modular backdoor specifically targets sensitive information such as private keys and cryptocurrency wallets. The theft of private keys can lead to unauthorized access to other systems or sensitive data, while the loss of cryptocurrency wallets can result in the direct theft of digital assets.
  • Confidentiality Breaches: The malware’s ability to scan for and exfiltrate sensitive information raises serious privacy concerns. Affected organizations may face legal and regulatory consequences if confidential customer or employee data is compromised.
  • Reputational Damage: Public Disclosure: If an organization falls victim to the GuptiMiner campaign and the incident becomes public knowledge, it can significantly damage the organization’s reputation. Customers, partners, and stakeholders may lose trust in the organization’s ability to protect their data and maintain secure systems.
  • Competitive Disadvantage: The reputational damage caused by a GuptiMiner infection can put the affected organization at a competitive disadvantage, as clients and prospects may choose to do business with companies perceived as more secure.
  • Legal and Regulatory Consequences: Data Protection Laws: Depending on the jurisdiction and the nature of the exfiltrated data, affected organizations may face legal consequences under data protection laws such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).
  • Compliance Violations: Organizations operating in regulated industries, such as healthcare or finance, may face additional penalties for compliance violations if the GuptiMiner campaign results in the loss of sensitive customer or patient data.
  • Remediation Costs: Incident Response and Investigation: Responding to a GuptiMiner infection requires a thorough incident response process, including investigation, containment, and eradication of the malware. This process can be time-consuming and costly, requiring the involvement of cybersecurity professionals and potentially external consultants.
  • System Restoration and Upgrades: Removing the malware and restoring affected systems to a secure state may require significant resources. In some cases, organizations may need to upgrade their hardware or software to prevent future infections, adding to the overall remediation costs. The extent of the impact on an organization will depend on factors such as the duration of the infection, the number of compromised systems, the sensitivity of the exfiltrated data, and the effectiveness of the organization’s incident response plan. However, the potential consequences of a GuptiMiner infection highlight the importance of robust cybersecurity measures, regular security assessments, and employee awareness training to minimize the risk of falling victim to such threats.

Background information

eScan is an antivirus and cybersecurity software suite developed by MicroWorld Software Services, an Indian company based in Pune. While it does not have a dominant global market share compared to industry leaders like Symantec, McAfee, and Kaspersky, eScan is a popular cybersecurity solution in India and some other Asian markets.

eScan offers various products for home users, small businesses, and enterprises, providing protection against viruses, malware, ransomware, and other cyber threats. The company claims to have millions of users worldwide, with a strong presence in the Indian subcontinent.

While exact market share figures are not readily available, eScan is considered one of the leading cybersecurity solutions in India, competing with other local and international players in the market. However, its global market share is relatively small compared to the top-tier antivirus vendors.

The GuptiMiner campaign, which allegedly targeted eScan’s software, highlights the importance of cybersecurity even for smaller players in the industry, as any vulnerability could potentially put a large user base at risk.

Technical Analysis

  1. Infection Chain: The GuptiMiner attack follows a sophisticated infection chain to compromise targeted systems:
    • MitM Attack: The attackers intercept eScan antivirus update requests through a man-in-the-middle (MitM) attack, allowing them to manipulate the update process.
    • Malicious Update Package: The legitimate update package is replaced with a malicious one named “updll62.dlz,” containing a malware-laced DLL file called “version.dll.”
    • DLL Sideloading: When the eScan updater processes the malicious package, it inadvertently sideloads “version.dll” using eScan’s legitimate binaries. This grants the malware system-level privileges.
    • Payload Retrieval: After the initial infection, the malware fetches additional payloads from the attacker’s infrastructure to expand its capabilities.
    • Persistence Mechanisms:
      • Scheduled Tasks: GuptiMiner creates scheduled tasks to ensure it remains active on the compromised system.
      • Registry Modifications: The malware modifies registry entries to maintain persistence and hinder detection efforts.
    • Anti-Analysis Techniques: To evade detection and hinder analysis efforts, GuptiMiner employs:
      • Anti-VM Checks: Determines if the malware is running in a virtual environment.
      • Anti-Debugging Measures: Prevents researchers from easily examining the malware’s behavior.
  2. Malware Stages: GuptiMiner’s infection process is meticulously divided into multiple stages, each serving a specific purpose:
    • Stage 0 – Installation: The initial stage where the malware is delivered through the hijacked eScan update mechanism, establishing a foothold on the targeted system.
    • Stage 0.9 – Installation Improvements:
      • WMI Events: Leverages Windows Management Instrumentation (WMI) events to trigger specific actions.
      • Scheduled Tasks: Creates scheduled tasks for persistence.
      • Disabling Windows Defender: Attempts to disable the built-in antivirus solution to reduce detection chances.
    • Stage 1 – PNG Loader: Extracts malicious payloads concealed within PNG images using steganography, making detection challenging.
    • Stage 2 – Gzip Loader: Decompresses and executes a compressed shellcode, deobfuscating and activating the main malicious components.
    • Stage 3 – Puppeteer: Acts as the central controller, orchestrating the deployment of backdoors and managing cryptocurrency mining operations.
    • Stage 4 – Backdoors:
      • PuTTY-based Backdoor: An enhanced version of the legitimate PuTTY remote access tool, modified for malicious activities such as SMB scanning and lateral movement.
      • Modular Backdoor: Scans for sensitive information like private keys and cryptocurrency wallets, and accepts commands to install additional modules.

    The modular nature of GuptiMiner allows the attackers to expand its capabilities based on their objectives, making it a highly adaptable threat.

  3. Backdoors: GuptiMiner employs two distinctive backdoors to maintain unauthorized access and expand its malicious capabilities within compromised networks:
  • PuTTY-based Backdoor:
    • Enhanced PuTTY Link: The attackers have modified the legitimate PuTTY Link remote access tool to create a malicious version tailored for their objectives.
    • SMB Scanning: This backdoor actively scans the compromised network for vulnerable SMB (Server Message Block) services, allowing the attackers to identify potential targets for lateral movement.
    • Lateral Movement: By exploiting the discovered SMB vulnerabilities, the PuTTY-based backdoor enables the attackers to move laterally within the network, spreading the infection to other systems and expanding their control.

    The use of a modified legitimate tool like PuTTY Link allows the attackers to blend in with normal network traffic, making detection more challenging for security solutions.

  • Modular Backdoor:
    • Information Scanning: This backdoor is designed to scan the compromised system for sensitive information, specifically targeting:
      • Private Keys: It searches for private cryptographic keys, which could be used to gain unauthorized access to other systems or decrypt sensitive data.
      • Cryptocurrency Wallets: The backdoor looks for cryptocurrency wallet files, potentially allowing the attackers to steal digital assets.
    • Command-based Module Installation: One of the key features of the modular backdoor is its ability to accept commands from the attackers to install additional modules.
      • Flexibility: This functionality provides the attackers with the flexibility to customize and extend the backdoor’s capabilities based on their specific needs and objectives.
      • Adaptive Threat: By installing new modules on demand, the attackers can adapt to different environments, evade detection, and perform a wide range of malicious activities.

    The modular nature of this backdoor makes it a highly versatile and dangerous threat, as it can be easily tailored to the attackers’ goals and remain undetected for extended periods.

  1. Cryptocurrency Mining: In addition to the backdoors, GuptiMiner also engages in unauthorized cryptocurrency mining on compromised systems, exploiting their resources for financial gain.
  • XMRig Monero Miner:
    • Deployment: GuptiMiner deploys the XMRig Monero miner on the compromised systems, harnessing their computational power to mine the Monero cryptocurrency.
    • Monero: Monero is a privacy-focused cryptocurrency that is often favored by attackers due to its enhanced anonymity features, making it more difficult to trace transactions and link them to specific individuals.

    The use of XMRig, an open-source Monero miner, allows the attackers to easily integrate cryptocurrency mining capabilities into their malware without developing their own mining software.

  • Tailored Mining Configuration:
    • Hardware Considerations: GuptiMiner intelligently tailors the mining configuration based on the hardware specifications of the compromised system.
    • CPU Utilization: The malware assesses the system’s CPU capabilities and adjusts the mining parameters accordingly to optimize mining performance while minimizing detection risks.
    • Memory Usage: GuptiMiner also takes into account the available memory resources and configures the miner to operate within certain thresholds to avoid exhausting the system’s memory and raising suspicions.

    By customizing the mining configuration based on the system’s hardware, GuptiMiner can maximize its mining efficiency while reducing the chances of being detected by users or security monitoring solutions.

The inclusion of cryptocurrency mining capabilities in GuptiMiner serves as an additional monetization stream for the attackers, allowing them to generate illicit profits alongside their other malicious activities. The choice of Monero as the mined cryptocurrency further enhances the attackers’ ability to evade tracking and maintain a degree of anonymity in their financial transactions.

Interesting Findings

During the analysis of GuptiMiner, researchers uncovered several intriguing aspects of the malware and its operations:

  1. Ties to North Korean APT Group:
    • Kimsuky: The researchers found possible connections between GuptiMiner and the North Korean advanced persistent threat (APT) group known as Kimsuky.
    • Code Similarities: Certain code fragments and functionalities within GuptiMiner bore resemblances to known Kimsuky malware, suggesting a potential link between the two.
    • Shared Infrastructure: GuptiMiner utilized some of the same infrastructure, such as command-and-control (C2) servers, that had previously been associated with Kimsuky operations.

    While these findings suggest a possible connection, further investigation is necessary to definitively attribute GuptiMiner to the Kimsuky group.

  2. DNS Requests for Payload Delivery:
    • Attacker-controlled Servers: GuptiMiner employed a technique involving DNS requests to attacker-controlled servers to facilitate payload delivery.
    • DNS Queries: The malware sent DNS queries to specific domains owned by the attackers, which responded with information about the location and nature of the payloads to be retrieved.
    • Evasion Tactic: By using DNS requests for payload delivery, GuptiMiner attempted to evade detection by security solutions that primarily focus on monitoring HTTP or HTTPS traffic.
  3. Encrypted Payloads and Images in Registry:
    • Persistence Mechanism: GuptiMiner stored encrypted payloads and images within the Windows registry as a means of persistence and to avoid detection.
    • Registry Keys: The malware created specific registry keys and stored the encrypted data within them, making it harder for security software to identify and remove the malicious components.
    • Stealth: By encrypting the payloads and images before storing them in the registry, GuptiMiner further enhanced its ability to evade detection and maintain a stealthy presence on compromised systems.
  4. Stolen Code-signing Certificates:
    • Digital Signatures: The researchers discovered that GuptiMiner payloads were digitally signed using stolen code-signing certificates.
    • Legitimate Appearance: By signing the malware payloads with valid code-signing certificates, the attackers aimed to make the files appear legitimate and bypass security checks that verify digital signatures.
    • Reputation Abuse: The use of stolen certificates allowed GuptiMiner to leverage the reputation of the legitimate certificate owners, increasing the chances of the malware being trusted and executed on targeted systems.

    The use of stolen code-signing certificates is a concerning trend in the malware landscape, as it erodes the trust placed in digital signatures and makes it more challenging for security solutions to identify malicious files.

These interesting findings highlight the sophisticated techniques employed by the GuptiMiner malware to enhance its evasion capabilities, maintain persistence, and deceive both users and security mechanisms. The potential ties to the Kimsuky APT group also underscore the need for continued vigilance and research into the evolving threat landscape.

Defense and Mitigation

To protect against GuptiMiner and similar threats, organizations and individuals should implement a multi-layered defense strategy:

  1. Secure Antivirus Update Mechanisms:
    • HTTPS: Ensure that antivirus software uses secure HTTPS connections for updating virus definitions and software components, preventing man-in-the-middle attacks.
    • Code Signing: Antivirus vendors should implement code signing to verify the integrity and authenticity of their updates, making it harder for attackers to distribute malicious files.
  2. Network Monitoring:
    • Suspicious Traffic Patterns: Implement robust network monitoring solutions to detect and flag suspicious traffic patterns, such as communication with known malicious domains or abnormal DNS requests.
    • Behavioral Analysis: Utilize advanced network monitoring tools that employ behavioral analysis techniques to identify unusual or malicious activities, even if the specific indicators of compromise (IoCs) are unknown.
  3. Regular Updates and Patching:
    • System Updates: Keep all systems, including operating systems and software applications, up to date with the latest security patches and updates to prevent the exploitation of known vulnerabilities.
    • Timely Patching: Establish a regular patching schedule and prioritize the deployment of critical security patches to minimize the window of opportunity for attackers.
  4. Endpoint Detection and Response (EDR):
    • Comprehensive Protection: Deploy EDR solutions that provide real-time monitoring, detection, and response capabilities at the endpoint level.
    • Behavioral Analysis: EDR solutions should utilize behavioral analysis techniques to identify and block malicious activities based on patterns and anomalies, rather than relying solely on signature-based detection.
    • Threat Intelligence: Leverage EDR solutions that incorporate up-to-date threat intelligence feeds to stay informed about the latest tactics, techniques, and procedures (TTPs) used by attackers.
  5. Monitoring for Indicators of Compromise (IoCs):
    • Known IoCs: Regularly monitor systems and networks for the presence of known GuptiMiner IoCs, such as:
      • Domains: Monitor for connections to malicious domains associated with GuptiMiner’s command-and-control infrastructure.
      • Mutexes: Check for the creation of specific mutexes used by GuptiMiner to ensure single instance execution and avoid conflicts with other malware.
      • PDB Paths: Look for the presence of unique PDB (Program Database) paths in the binary’s debug information, which can help identify GuptiMiner variants.
    • Threat Intelligence Sharing: Participate in threat intelligence sharing communities and subscribe to reputable threat intelligence feeds to stay updated on the latest IoCs and detection rules.

Implementing a comprehensive defense strategy that combines secure update mechanisms, network monitoring, regular patching, EDR solutions, and IoC monitoring can significantly reduce the risk of falling victim to GuptiMiner and similar threats. However, it is crucial to remain vigilant and adapt the defense measures as the threat landscape continues to evolve.

Indicators of Compromise (IoCs)

The following IoCs have been identified for the GuptiMiner malware campaign:

  1. Malware Samples (SHA-256):
    • c3122448ae3b21ac2431d8fd523451ff25de7f6e399ff013d6fa6953a7998fa3
    • 7a1554fe1c504786402d97edecc10c3aa12bd6b7b7b101cfc7a009ae88dd99c6
    • 3515113e7127dc41fb34c447f35c143f1b33fd70913034742e44ee7a9dc5cc4c
    • e0dd8af1b70f47374b0714e3b368e20dbcfa45c6fe8f4a2e72314f4cd3ef16ee
    • de48abe380bd84b5dc940743ad6727d0372f602a8871a4a0ae2a53b15e1b1739
    • 8e96d15864ec0cc6d3976d87e9e76e6eeccc23c551b22dcfacb60232773ec049
    • ff884d4c01fccf08a916f1e7168080a2d740a62a774f18e64f377d23923b0297
    • 294b73d38b89ce66cfdefa04b1678edf1b74a9b7f50343d9036a5d549ade509a
    • 6305d66aac77098107e3aa6d85af1c2e3fc2bb1f639e4a9da619c8409104c414
    • 357009a70daacfc3379560286a134b89e1874ab930d84edb2d3ba418f7ad6a0b
    • 364984e8d62eb42fd880755a296bd4a93cc071b9705c1f1b43e4c19dd84adc65
    • 4dfd082eee771b7801b2ddcea9680457f76d4888c64bb0b45d4ea616f0a47f21
    • 487624b44b43dacb45fd93d03e25c9f6d919eaa6f01e365bb71897a385919ddd
    • 1c31d06cbdf961867ec788288b74bee0db7f07a75ae06d45d30355c0bc7b09fe
    • 1fbc562b08637a111464ba182cd22b1286a185f7cfba143505b99b07313c97a4
    • 07beca60c0a50520b8dbc0b8cc2d56614dd48fef0466f846a0a03afbfc42349d
    • f0ccfcb5d49d08e9e66b67bb3fedc476fdf5476a432306e78ddaaba4f8e3bbc4
    • 8446d4fc1310b31238f9a610cd25ea832925a25e758b9a41eea66f998163bb34
    • 74d7f1af69fb706e87ff0116b8e4fa3a9b87275505e2ee7a32a8628a2d066549
    • af9f1331ac671d241bf62240aa52389059b4071a0635cb9cb58fa78ab942a33b
    • 31dfba1b102bbf4092b25e63aae0f27386c480c10191c96c04295cb284f20878
    • b0f94d84888dffacbc10bd7f9983b2d681b55d7e932c2d952d47ee606058df54
    • f656a418fca7c4275f2441840faaeb70947e4f39d3826d6d2e50a3e7b8120e4e
    • 7f1221c613b9de2da62da613b8b7c9afde2ea026fe6b88198a65c9485ded7b3d
  2. Command and Control (C2) Domains:
    • _spf.microsoft[.]com
    • acmeautoleasing[.]net
    • b.guterman[.]net
    • breedbackfp[.]com
    • crl.microsoft[.]com
    • crl.peepzo[.]com
    • crl.sneakerhost[.]com
    • desmoinesreg[.]com
    • dl.sneakerhost[.]com
    • edgesync[.]net
    • espcomp[.]net
    • ext.microsoft[.]com
    • ext.peepzo[.]com
    • ext.sneakerhost[.]com
    • gesucht[.]net
    • globalsign.microsoft[.]com
    • icamper[.]net
    • m.airequipment[.]net
    • m.cbacontrols[.]com
    • m.gosoengine[.]com
    • m.guterman[.]net
    • m.indpendant[.]com
    • m.insomniaccinema[.]com
    • m.korkyt[.]net
    • m.satchmos[.]net
    • m.sifraco[.]com
    • ns.bretzger[.]net
    • ns.deannacraite[.]com
    • ns.desmoinesreg[.]com
    • ns.dreamsoles[.]com
    • ns.editaccess[.]com
    • ns.encontacto[.]net
    • ns.gravelmart[.]net
    • ns.gridsense[.]net
    • ns.jetmediauk[.]com
    • ns.kbdn[.]net
    • ns.lesagencestv[.]net
    • ns.penawarkanser[.]net
    • ns.srnmicro[.]net
    • ns.suechiLton[.]com
    • ns.trafomo[.]com
    • ns1.earthscienceclass[.]com
    • ns1.peepzo[.]com
    • ns1.securtelecom[.]com
    • ns1.sneakerhost[.]com
    • p.bramco[.]net
    • p.hashvault[.]pro
    • r.sifraco[.]com
    • spf.microsoft[.]com
    • widgeonhill[.]com
    • www.bascap[.]net
  3. Mutexes:
    • ESOCESS_
    • Global\Fri Aug 13 02:17:49 2021
    • Global\Fri Aug 13 02:22:55 2021
    • Global\Mon Apr 19 06:03:17 2021
    • Global\Mon Apr 24 07:19:54 2023
    • Global\Mon Feb 27 08:11:25 2023
    • Global\Mon Jun 14 03:22:57 2021
    • Global\Mon Mar 13 07:29:11 2023
    • Global\Mon Mar 22 09:16:00 2021
    • Global\Sun Jun 13 08:22:07 2021
    • Global\Thu Aug 10 03:25:11 2023
    • Global\Thu Aug 12 02:07:58 2021
    • Global\Thu Feb 23 08:37:09 2023
    • Global\Thu Mar 25 02:03:14 2021
    • Global\Thu Mar 25 09:31:19 2021
    • Global\Thu Nov 2 08:21:56 2023
    • Global\Thu Nov 9 06:19:40 2023
    • Global\Tue Apr 25 08:32:05 2023
    • Global\Tue Mar 23 02:37:32 2021
    • Global\Tue Oct 10 08:07:11 2023
    • Global\Wed Aug 11 09:16:37 2021
    • Global\Wed Jan 5 09:15:56 2022
    • Global\Wed Jun 2 09:43:03 2021
    • Global\Wed Mar 1 01:29:48 2023
    • Global\Wed Mar 23 08:56:01 2022
    • Global\Wed Mar 23 09:06:36 2022
    • Global\Wed May 10 06:38:46 2023
    • Global1
    • GlobalMIVOD_V4
    • GMCM1
    • MIVOD_6
    • MTX_EX01
    • Mutex_ONLY_ME_V1
    • Mutex_ONLY_ME_V2
    • Mutex_ONLY_ME_V3
    • PROCESS_
    • SLDV014
    • SLDV02
    • SLDV024
    • SLDV04
    • SLDV10
    • SLDV11
    • SLDV13
    • SLDV15
    • SLDV17
    • SLDV22
    • SLDV26
  4. PDB Paths:
    • E:\projects\projects\RunCompressedSC\x64\Release\RunCompressedSC.pdb
    • E:\Projects\putty-src\windows\VS2012\x64\Release\plink.pdb
    • F:\CODE-20221019\Projects\RunCompressedSC\x64\Release\RunCompressedSC.pdb
    • F:\Pro\MainWork\Release\MainWork.pdb
    • F:\Pro\MainWork\x64\Release\MainWork.pdb
    • F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-IPHLPAPI\Release\MainWork.pdb
    • F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-IPHLPAPI\x64\Release\MainWork.pdb
    • F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-nvhelper\Release\MainWork.pdb
    • F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-nvhelper\x64\Release\MainWork.pdb
    • F:\Projects\RunCompressedSC\x64\Release\RunCompressedSC.pdb
    • F:\V202102\MainWork-VS2017 - Monitor\Release\MainWork.pdb
    • F:\V202102\MainWork-VS2017 - Monitor\x64\Release\MainWork.pdb
    • H:\projects\MainWork\Release\MainWork.pdb

References

  1. Rubín, J., & Milánek (2024, April 23). GuptiMiner: Hijacking antivirus updates for distributing backdoors and casual mining. Avast Threat Labs. https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/
    • (Rubín & Milánek, 2024)
  2. Cimpanu, C. (2024, April 23). Hackers hijack antivirus updates to drop GuptiMiner malware. BleepingComputer. https://www.bleepingcomputer.com/news/security/hackers-hijack-antivirus-updates-to-drop-guptiminer-malware/
    • (Cimpanu, 2024)
  3. Goodin, D. (2024, April 24). Hackers infect users of antivirus service that delivered updates over HTTP. Ars Technica. https://arstechnica.com/security/2024/04/hackers-infect-users-of-antivirus-service-that-delivered-updates-over-http/
    • (Goodin, 2024)
  4. Avast Software. (2024, April 23). Leading the charge against GuptiMiner. Avast Blog. https://blog.avast.com/leading-the-charge-against-guptiminer
    • (Avast Software, 2024)
  5. Avast. (n.d.). GuptiMiner. GitHub. https://github.com/avast/ioc/tree/master/GuptiMiner
    • (Avast, n.d.)

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *