Network Security, Threat Intelligence, Malware

Antivirus updates exploited for GuptiMiner malware deployment

Computer keyboard, close-up button of the flag of North Korea.

Intrusions hijacking the eScan antivirus software's updating mechanism have been conducted by threat actors suspected to be linked to North Korean advanced persistent threat operation Kimsuky to facilitate the delivery of the sophisticated GuptiMiner malware that would then distribute cryptocurrency mining payloads, according to BleepingComputer.

Avast researchers reported that the execution of the eScan updater that had its normal virus definition update package replaced with a malicious file containing GuptiMiner and a DLL file enabled system-level privileges for the malware, as well as additional payload retrieval, host persistence, DNS manipulation, shellcode injections on processes, code virtualization, and XOR-encrypted payload storage in the Windows registry.

GuptiMiner then delivers an updated version of the Putty Link malware targeted at Windows 7 and Windows Server 2008 systems; a sophisticated modular payload aimed at cryptocurrency wallets and stored private keys; and the XMRig cryptominer. While eScan has addressed the issue, new infections remain amid lagging patching, said Avast.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.