GuptiMiner, a sophisticated malware campaign, exploited vulnerabilities in the update mechanism of eScan antivirus software to distribute backdoors and cryptocurrency miners.
The attackers, possibly tied to the North Korean APT group Kimsuky, performed a man-in-the-middle attack to replace legitimate updates with malicious payloads.
The campaign, active since at least 2018, targeted large corporate networks and went undetected for five years due to eScan’s insecure update process, which used HTTP instead of HTTPS.
Avast researchers disclosed the vulnerability to eScan and India CERT, and eScan confirmed the issue was resolved on July 31, 2023.
Impact Assessment
The GuptiMiner malware campaign has the potential to cause significant harm to affected organizations, leading to various consequences:
- Financial Losses: Unauthorized Cryptocurrency Mining: GuptiMiner’s cryptocurrency mining capabilities can result in substantial financial losses for affected organizations. By utilizing the compromised systems’ computational resources to mine Monero, the attackers effectively steal electricity and processing power, leading to increased operational costs and reduced system performance.
- Productivity Losses: The unauthorized mining activities can slow down the compromised systems, affecting employee productivity and potentially disrupting business operations. This can result in lost revenue and opportunities for the affected organizations.
- Data Exfiltration and Privacy Concerns: Sensitive Information Theft: GuptiMiner’s modular backdoor specifically targets sensitive information such as private keys and cryptocurrency wallets. The theft of private keys can lead to unauthorized access to other systems or sensitive data, while the loss of cryptocurrency wallets can result in the direct theft of digital assets.
- Confidentiality Breaches: The malware’s ability to scan for and exfiltrate sensitive information raises serious privacy concerns. Affected organizations may face legal and regulatory consequences if confidential customer or employee data is compromised.
- Reputational Damage: Public Disclosure: If an organization falls victim to the GuptiMiner campaign and the incident becomes public knowledge, it can significantly damage the organization’s reputation. Customers, partners, and stakeholders may lose trust in the organization’s ability to protect their data and maintain secure systems.
- Competitive Disadvantage: The reputational damage caused by a GuptiMiner infection can put the affected organization at a competitive disadvantage, as clients and prospects may choose to do business with companies perceived as more secure.
- Legal and Regulatory Consequences: Data Protection Laws: Depending on the jurisdiction and the nature of the exfiltrated data, affected organizations may face legal consequences under data protection laws such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).
- Compliance Violations: Organizations operating in regulated industries, such as healthcare or finance, may face additional penalties for compliance violations if the GuptiMiner campaign results in the loss of sensitive customer or patient data.
- Remediation Costs: Incident Response and Investigation: Responding to a GuptiMiner infection requires a thorough incident response process, including investigation, containment, and eradication of the malware. This process can be time-consuming and costly, requiring the involvement of cybersecurity professionals and potentially external consultants.
- System Restoration and Upgrades: Removing the malware and restoring affected systems to a secure state may require significant resources. In some cases, organizations may need to upgrade their hardware or software to prevent future infections, adding to the overall remediation costs. The extent of the impact on an organization will depend on factors such as the duration of the infection, the number of compromised systems, the sensitivity of the exfiltrated data, and the effectiveness of the organization’s incident response plan. However, the potential consequences of a GuptiMiner infection highlight the importance of robust cybersecurity measures, regular security assessments, and employee awareness training to minimize the risk of falling victim to such threats.
Technical Analysis
- Infection Chain: The GuptiMiner attack follows a sophisticated infection chain to compromise targeted systems:
- MitM Attack: The attackers intercept eScan antivirus update requests through a man-in-the-middle (MitM) attack, allowing them to manipulate the update process.
- Malicious Update Package: The legitimate update package is replaced with a malicious one named “updll62.dlz,” containing a malware-laced DLL file called “version.dll.”
- DLL Sideloading: When the eScan updater processes the malicious package, it inadvertently sideloads “version.dll” using eScan’s legitimate binaries. This grants the malware system-level privileges.
- Payload Retrieval: After the initial infection, the malware fetches additional payloads from the attacker’s infrastructure to expand its capabilities.
- Persistence Mechanisms:
- Scheduled Tasks: GuptiMiner creates scheduled tasks to ensure it remains active on the compromised system.
- Registry Modifications: The malware modifies registry entries to maintain persistence and hinder detection efforts.
- Anti-Analysis Techniques: To evade detection and hinder analysis efforts, GuptiMiner employs:
- Anti-VM Checks: Determines if the malware is running in a virtual environment.
- Anti-Debugging Measures: Prevents researchers from easily examining the malware’s behavior.
- Malware Stages: GuptiMiner’s infection process is meticulously divided into multiple stages, each serving a specific purpose:
- Stage 0 – Installation: The initial stage where the malware is delivered through the hijacked eScan update mechanism, establishing a foothold on the targeted system.
- Stage 0.9 – Installation Improvements:
- WMI Events: Leverages Windows Management Instrumentation (WMI) events to trigger specific actions.
- Scheduled Tasks: Creates scheduled tasks for persistence.
- Disabling Windows Defender: Attempts to disable the built-in antivirus solution to reduce detection chances.
- Stage 1 – PNG Loader: Extracts malicious payloads concealed within PNG images using steganography, making detection challenging.
- Stage 2 – Gzip Loader: Decompresses and executes a compressed shellcode, deobfuscating and activating the main malicious components.
- Stage 3 – Puppeteer: Acts as the central controller, orchestrating the deployment of backdoors and managing cryptocurrency mining operations.
- Stage 4 – Backdoors:
- PuTTY-based Backdoor: An enhanced version of the legitimate PuTTY remote access tool, modified for malicious activities such as SMB scanning and lateral movement.
- Modular Backdoor: Scans for sensitive information like private keys and cryptocurrency wallets, and accepts commands to install additional modules.
The modular nature of GuptiMiner allows the attackers to expand its capabilities based on their objectives, making it a highly adaptable threat.
- Backdoors: GuptiMiner employs two distinctive backdoors to maintain unauthorized access and expand its malicious capabilities within compromised networks:
- PuTTY-based Backdoor:
- Enhanced PuTTY Link: The attackers have modified the legitimate PuTTY Link remote access tool to create a malicious version tailored for their objectives.
- SMB Scanning: This backdoor actively scans the compromised network for vulnerable SMB (Server Message Block) services, allowing the attackers to identify potential targets for lateral movement.
- Lateral Movement: By exploiting the discovered SMB vulnerabilities, the PuTTY-based backdoor enables the attackers to move laterally within the network, spreading the infection to other systems and expanding their control.
The use of a modified legitimate tool like PuTTY Link allows the attackers to blend in with normal network traffic, making detection more challenging for security solutions.
- Modular Backdoor:
- Information Scanning: This backdoor is designed to scan the compromised system for sensitive information, specifically targeting:
- Private Keys: It searches for private cryptographic keys, which could be used to gain unauthorized access to other systems or decrypt sensitive data.
- Cryptocurrency Wallets: The backdoor looks for cryptocurrency wallet files, potentially allowing the attackers to steal digital assets.
- Command-based Module Installation: One of the key features of the modular backdoor is its ability to accept commands from the attackers to install additional modules.
- Flexibility: This functionality provides the attackers with the flexibility to customize and extend the backdoor’s capabilities based on their specific needs and objectives.
- Adaptive Threat: By installing new modules on demand, the attackers can adapt to different environments, evade detection, and perform a wide range of malicious activities.
The modular nature of this backdoor makes it a highly versatile and dangerous threat, as it can be easily tailored to the attackers’ goals and remain undetected for extended periods.
- Information Scanning: This backdoor is designed to scan the compromised system for sensitive information, specifically targeting:
- Cryptocurrency Mining: In addition to the backdoors, GuptiMiner also engages in unauthorized cryptocurrency mining on compromised systems, exploiting their resources for financial gain.
- XMRig Monero Miner:
- Deployment: GuptiMiner deploys the XMRig Monero miner on the compromised systems, harnessing their computational power to mine the Monero cryptocurrency.
- Monero: Monero is a privacy-focused cryptocurrency that is often favored by attackers due to its enhanced anonymity features, making it more difficult to trace transactions and link them to specific individuals.
The use of XMRig, an open-source Monero miner, allows the attackers to easily integrate cryptocurrency mining capabilities into their malware without developing their own mining software.
- Tailored Mining Configuration:
- Hardware Considerations: GuptiMiner intelligently tailors the mining configuration based on the hardware specifications of the compromised system.
- CPU Utilization: The malware assesses the system’s CPU capabilities and adjusts the mining parameters accordingly to optimize mining performance while minimizing detection risks.
- Memory Usage: GuptiMiner also takes into account the available memory resources and configures the miner to operate within certain thresholds to avoid exhausting the system’s memory and raising suspicions.
By customizing the mining configuration based on the system’s hardware, GuptiMiner can maximize its mining efficiency while reducing the chances of being detected by users or security monitoring solutions.
The inclusion of cryptocurrency mining capabilities in GuptiMiner serves as an additional monetization stream for the attackers, allowing them to generate illicit profits alongside their other malicious activities. The choice of Monero as the mined cryptocurrency further enhances the attackers’ ability to evade tracking and maintain a degree of anonymity in their financial transactions.
Interesting Findings
During the analysis of GuptiMiner, researchers uncovered several intriguing aspects of the malware and its operations:
- Ties to North Korean APT Group:
- Kimsuky: The researchers found possible connections between GuptiMiner and the North Korean advanced persistent threat (APT) group known as Kimsuky.
- Code Similarities: Certain code fragments and functionalities within GuptiMiner bore resemblances to known Kimsuky malware, suggesting a potential link between the two.
- Shared Infrastructure: GuptiMiner utilized some of the same infrastructure, such as command-and-control (C2) servers, that had previously been associated with Kimsuky operations.
While these findings suggest a possible connection, further investigation is necessary to definitively attribute GuptiMiner to the Kimsuky group.
- DNS Requests for Payload Delivery:
- Attacker-controlled Servers: GuptiMiner employed a technique involving DNS requests to attacker-controlled servers to facilitate payload delivery.
- DNS Queries: The malware sent DNS queries to specific domains owned by the attackers, which responded with information about the location and nature of the payloads to be retrieved.
- Evasion Tactic: By using DNS requests for payload delivery, GuptiMiner attempted to evade detection by security solutions that primarily focus on monitoring HTTP or HTTPS traffic.
- Encrypted Payloads and Images in Registry:
- Persistence Mechanism: GuptiMiner stored encrypted payloads and images within the Windows registry as a means of persistence and to avoid detection.
- Registry Keys: The malware created specific registry keys and stored the encrypted data within them, making it harder for security software to identify and remove the malicious components.
- Stealth: By encrypting the payloads and images before storing them in the registry, GuptiMiner further enhanced its ability to evade detection and maintain a stealthy presence on compromised systems.
- Stolen Code-signing Certificates:
- Digital Signatures: The researchers discovered that GuptiMiner payloads were digitally signed using stolen code-signing certificates.
- Legitimate Appearance: By signing the malware payloads with valid code-signing certificates, the attackers aimed to make the files appear legitimate and bypass security checks that verify digital signatures.
- Reputation Abuse: The use of stolen certificates allowed GuptiMiner to leverage the reputation of the legitimate certificate owners, increasing the chances of the malware being trusted and executed on targeted systems.
The use of stolen code-signing certificates is a concerning trend in the malware landscape, as it erodes the trust placed in digital signatures and makes it more challenging for security solutions to identify malicious files.
These interesting findings highlight the sophisticated techniques employed by the GuptiMiner malware to enhance its evasion capabilities, maintain persistence, and deceive both users and security mechanisms. The potential ties to the Kimsuky APT group also underscore the need for continued vigilance and research into the evolving threat landscape.
Defense and Mitigation
To protect against GuptiMiner and similar threats, organizations and individuals should implement a multi-layered defense strategy:
- Secure Antivirus Update Mechanisms:
- HTTPS: Ensure that antivirus software uses secure HTTPS connections for updating virus definitions and software components, preventing man-in-the-middle attacks.
- Code Signing: Antivirus vendors should implement code signing to verify the integrity and authenticity of their updates, making it harder for attackers to distribute malicious files.
- Network Monitoring:
- Suspicious Traffic Patterns: Implement robust network monitoring solutions to detect and flag suspicious traffic patterns, such as communication with known malicious domains or abnormal DNS requests.
- Behavioral Analysis: Utilize advanced network monitoring tools that employ behavioral analysis techniques to identify unusual or malicious activities, even if the specific indicators of compromise (IoCs) are unknown.
- Regular Updates and Patching:
- System Updates: Keep all systems, including operating systems and software applications, up to date with the latest security patches and updates to prevent the exploitation of known vulnerabilities.
- Timely Patching: Establish a regular patching schedule and prioritize the deployment of critical security patches to minimize the window of opportunity for attackers.
- Endpoint Detection and Response (EDR):
- Comprehensive Protection: Deploy EDR solutions that provide real-time monitoring, detection, and response capabilities at the endpoint level.
- Behavioral Analysis: EDR solutions should utilize behavioral analysis techniques to identify and block malicious activities based on patterns and anomalies, rather than relying solely on signature-based detection.
- Threat Intelligence: Leverage EDR solutions that incorporate up-to-date threat intelligence feeds to stay informed about the latest tactics, techniques, and procedures (TTPs) used by attackers.
- Monitoring for Indicators of Compromise (IoCs):
- Known IoCs: Regularly monitor systems and networks for the presence of known GuptiMiner IoCs, such as:
- Domains: Monitor for connections to malicious domains associated with GuptiMiner’s command-and-control infrastructure.
- Mutexes: Check for the creation of specific mutexes used by GuptiMiner to ensure single instance execution and avoid conflicts with other malware.
- PDB Paths: Look for the presence of unique PDB (Program Database) paths in the binary’s debug information, which can help identify GuptiMiner variants.
- Threat Intelligence Sharing: Participate in threat intelligence sharing communities and subscribe to reputable threat intelligence feeds to stay updated on the latest IoCs and detection rules.
- Known IoCs: Regularly monitor systems and networks for the presence of known GuptiMiner IoCs, such as:
Implementing a comprehensive defense strategy that combines secure update mechanisms, network monitoring, regular patching, EDR solutions, and IoC monitoring can significantly reduce the risk of falling victim to GuptiMiner and similar threats. However, it is crucial to remain vigilant and adapt the defense measures as the threat landscape continues to evolve.
Indicators of Compromise (IoCs)
The following IoCs have been identified for the GuptiMiner malware campaign:
- Malware Samples (SHA-256):
c3122448ae3b21ac2431d8fd523451ff25de7f6e399ff013d6fa6953a7998fa3
7a1554fe1c504786402d97edecc10c3aa12bd6b7b7b101cfc7a009ae88dd99c6
3515113e7127dc41fb34c447f35c143f1b33fd70913034742e44ee7a9dc5cc4c
e0dd8af1b70f47374b0714e3b368e20dbcfa45c6fe8f4a2e72314f4cd3ef16ee
de48abe380bd84b5dc940743ad6727d0372f602a8871a4a0ae2a53b15e1b1739
8e96d15864ec0cc6d3976d87e9e76e6eeccc23c551b22dcfacb60232773ec049
ff884d4c01fccf08a916f1e7168080a2d740a62a774f18e64f377d23923b0297
294b73d38b89ce66cfdefa04b1678edf1b74a9b7f50343d9036a5d549ade509a
6305d66aac77098107e3aa6d85af1c2e3fc2bb1f639e4a9da619c8409104c414
357009a70daacfc3379560286a134b89e1874ab930d84edb2d3ba418f7ad6a0b
364984e8d62eb42fd880755a296bd4a93cc071b9705c1f1b43e4c19dd84adc65
4dfd082eee771b7801b2ddcea9680457f76d4888c64bb0b45d4ea616f0a47f21
487624b44b43dacb45fd93d03e25c9f6d919eaa6f01e365bb71897a385919ddd
1c31d06cbdf961867ec788288b74bee0db7f07a75ae06d45d30355c0bc7b09fe
1fbc562b08637a111464ba182cd22b1286a185f7cfba143505b99b07313c97a4
07beca60c0a50520b8dbc0b8cc2d56614dd48fef0466f846a0a03afbfc42349d
f0ccfcb5d49d08e9e66b67bb3fedc476fdf5476a432306e78ddaaba4f8e3bbc4
8446d4fc1310b31238f9a610cd25ea832925a25e758b9a41eea66f998163bb34
74d7f1af69fb706e87ff0116b8e4fa3a9b87275505e2ee7a32a8628a2d066549
af9f1331ac671d241bf62240aa52389059b4071a0635cb9cb58fa78ab942a33b
31dfba1b102bbf4092b25e63aae0f27386c480c10191c96c04295cb284f20878
b0f94d84888dffacbc10bd7f9983b2d681b55d7e932c2d952d47ee606058df54
f656a418fca7c4275f2441840faaeb70947e4f39d3826d6d2e50a3e7b8120e4e
7f1221c613b9de2da62da613b8b7c9afde2ea026fe6b88198a65c9485ded7b3d
- Command and Control (C2) Domains:
_spf.microsoft[.]com
acmeautoleasing[.]net
b.guterman[.]net
breedbackfp[.]com
crl.microsoft[.]com
crl.peepzo[.]com
crl.sneakerhost[.]com
desmoinesreg[.]com
dl.sneakerhost[.]com
edgesync[.]net
espcomp[.]net
ext.microsoft[.]com
ext.peepzo[.]com
ext.sneakerhost[.]com
gesucht[.]net
globalsign.microsoft[.]com
icamper[.]net
m.airequipment[.]net
m.cbacontrols[.]com
m.gosoengine[.]com
m.guterman[.]net
m.indpendant[.]com
m.insomniaccinema[.]com
m.korkyt[.]net
m.satchmos[.]net
m.sifraco[.]com
ns.bretzger[.]net
ns.deannacraite[.]com
ns.desmoinesreg[.]com
ns.dreamsoles[.]com
ns.editaccess[.]com
ns.encontacto[.]net
ns.gravelmart[.]net
ns.gridsense[.]net
ns.jetmediauk[.]com
ns.kbdn[.]net
ns.lesagencestv[.]net
ns.penawarkanser[.]net
ns.srnmicro[.]net
ns.suechiLton[.]com
ns.trafomo[.]com
ns1.earthscienceclass[.]com
ns1.peepzo[.]com
ns1.securtelecom[.]com
ns1.sneakerhost[.]com
p.bramco[.]net
p.hashvault[.]pro
r.sifraco[.]com
spf.microsoft[.]com
widgeonhill[.]com
www.bascap[.]net
- Mutexes:
ESOCESS_
Global\Fri Aug 13 02:17:49 2021
Global\Fri Aug 13 02:22:55 2021
Global\Mon Apr 19 06:03:17 2021
Global\Mon Apr 24 07:19:54 2023
Global\Mon Feb 27 08:11:25 2023
Global\Mon Jun 14 03:22:57 2021
Global\Mon Mar 13 07:29:11 2023
Global\Mon Mar 22 09:16:00 2021
Global\Sun Jun 13 08:22:07 2021
Global\Thu Aug 10 03:25:11 2023
Global\Thu Aug 12 02:07:58 2021
Global\Thu Feb 23 08:37:09 2023
Global\Thu Mar 25 02:03:14 2021
Global\Thu Mar 25 09:31:19 2021
Global\Thu Nov 2 08:21:56 2023
Global\Thu Nov 9 06:19:40 2023
Global\Tue Apr 25 08:32:05 2023
Global\Tue Mar 23 02:37:32 2021
Global\Tue Oct 10 08:07:11 2023
Global\Wed Aug 11 09:16:37 2021
Global\Wed Jan 5 09:15:56 2022
Global\Wed Jun 2 09:43:03 2021
Global\Wed Mar 1 01:29:48 2023
Global\Wed Mar 23 08:56:01 2022
Global\Wed Mar 23 09:06:36 2022
Global\Wed May 10 06:38:46 2023
Global1
GlobalMIVOD_V4
GMCM1
MIVOD_6
MTX_EX01
Mutex_ONLY_ME_V1
Mutex_ONLY_ME_V2
Mutex_ONLY_ME_V3
PROCESS_
SLDV014
SLDV02
SLDV024
SLDV04
SLDV10
SLDV11
SLDV13
SLDV15
SLDV17
SLDV22
SLDV26
- PDB Paths:
E:\projects\projects\RunCompressedSC\x64\Release\RunCompressedSC.pdb
E:\Projects\putty-src\windows\VS2012\x64\Release\plink.pdb
F:\CODE-20221019\Projects\RunCompressedSC\x64\Release\RunCompressedSC.pdb
F:\Pro\MainWork\Release\MainWork.pdb
F:\Pro\MainWork\x64\Release\MainWork.pdb
F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-IPHLPAPI\Release\MainWork.pdb
F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-IPHLPAPI\x64\Release\MainWork.pdb
F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-nvhelper\Release\MainWork.pdb
F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-nvhelper\x64\Release\MainWork.pdb
F:\Projects\RunCompressedSC\x64\Release\RunCompressedSC.pdb
F:\V202102\MainWork-VS2017 - Monitor\Release\MainWork.pdb
F:\V202102\MainWork-VS2017 - Monitor\x64\Release\MainWork.pdb
H:\projects\MainWork\Release\MainWork.pdb
References
- Rubín, J., & Milánek (2024, April 23). GuptiMiner: Hijacking antivirus updates for distributing backdoors and casual mining. Avast Threat Labs. https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/
- (Rubín & Milánek, 2024)
- Cimpanu, C. (2024, April 23). Hackers hijack antivirus updates to drop GuptiMiner malware. BleepingComputer. https://www.bleepingcomputer.com/news/security/hackers-hijack-antivirus-updates-to-drop-guptiminer-malware/
- (Cimpanu, 2024)
- Goodin, D. (2024, April 24). Hackers infect users of antivirus service that delivered updates over HTTP. Ars Technica. https://arstechnica.com/security/2024/04/hackers-infect-users-of-antivirus-service-that-delivered-updates-over-http/
- (Goodin, 2024)
- Avast Software. (2024, April 23). Leading the charge against GuptiMiner. Avast Blog. https://blog.avast.com/leading-the-charge-against-guptiminer
- (Avast Software, 2024)
- Avast. (n.d.). GuptiMiner. GitHub. https://github.com/avast/ioc/tree/master/GuptiMiner
- (Avast, n.d.)