Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia

North Korean Hackers Used Antivirus Updates to Spy on Firms

Hackers Laced Antivirus Software Update With a Sophisticated Malware Installer
North Korean Hackers Used Antivirus Updates to Spy on Firms
Image: Shutterstock

Malicious actors possibly tied to the North Korean hacker group Kimsuky exploited a flaw within an update mechanism of Indian antivirus vendor eScan to distribute the GuptiMiner data-stealing malware to infected systems.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Security researchers at Avast Threat Labs said the malicious actors used a man-in-the-middle attack to ensure that eScan obtained an update package from a malicious update server, ensuring that the software extracted and uploaded a DLL that enabled the rest of the attack chain.

Avast suspected something unusual with eScan software updates in the summer of 2023 after some of the company's enterprise customers began receiving "unusual responses from otherwise legitimate requests." Initial investigations revealed that threat actors had hijacked the update process to download infected installers into victims' devices instead of an update.

Researchers were unable to determine how exactly the threat actors performed the man-in-the-middle attack to replace the update server with a malicious one. "We assume that some kind of pre-infection had to be present on the victim's device or their network, causing the MitM," they said.

The eScan antivirus software is developed and marketed by Mumbai-based security company MicroWorld, which offers anti-malware, anti-spyware, vulnerability assessment, penetration testing and network intrusion prevention solutions to enterprises under the eScan and Nemasis brands. The company says its clients include government and defense organizations and companies in the telecom, information technology, financial and education sectors.

According to Avast, once the eScan updater sets an update process into motion, it downloads a malicious package - updll62.dlz - which contains a malicious DLL that enjoys the same privileges as any eScan program and is loaded when the end user restarts the "updated" antivirus software.

The malicious DLL performs several tasks, including running x64 code inside a 32-bit process on a 64-bit system in order to run an injected shellcode depending on the infected device's operating system.

The shellcode is injected into services.exe and functions as a loader for second-stage malware, namely GuptiMiner, a well-known info stealer malware that has been active since at least 2018.

Avast researchers said the data-mining malware distributes backdoors within big corporate networks and called its attack technique "a masterclass in stealth and versatility."

"GuptiMiner isn't merely another malware. It's an orchestrated suite of malicious tools and cryptocurrency miners," they said. "What sets GuptiMiner apart is its sophistication and the strategic timing of its payload deployments - often during system shutdowns when defenses are low and monitoring decreases."

The researchers found that GuptiMiner was installing an enhanced build of PuTTY Link that scans for open SMB ports within the local network and enables lateral movement over the network to potentially vulnerable Windows 7 and Windows Server 2008 systems on the network.

The data-mining malware also deployed a second backdoor that scans for stored private keys and cryptocurrency wallets on the local system and installs additional modules based on commands issued by the attackers. In addition to the backdoors, the malware also uses the popular XMRig open-source software to mine cryptocurrency.

"The strategy employed by GuptiMiner primarily targets corporate environments, leveraging the less secure HTTP protocol to remain under the radar," said cybersecurity engineer and SOC analyst Jonathan Holmes. "This has allowed it to infiltrate systems undetected, posing significant risks to business operations and data security."

The threat actors behind the campaign took special care to ensure the GuptiMiner malware and the two DLL backdoors stayed undetected inside infected local networks. Avast said both the DLLs were signed with a custom trusted root anchor certification authority, and during the malware installation GuptiMiner added a root certificate to Windows' certificate store to make the certification authority trusted.

The threat actors also enhanced the persistence capability of the two backdoors by storing the payloads in registry keys and encrypting them by XOR using a fixed key. XOR is an encryption method that generates random encryption keys to match the correct ones; it cannot be cracked by brute-force techniques. "This ensures that the payloads look meaningless to the naked eye," Avast said.


Avast said the campaign could possibly be tied to the North Korean APT group Kimsuky considering an information stealer discovered during their research contained a program database path similar to one used by the cyberespionage group.

Though the researchers could not find any evidence of GuptiMiner distributing the information stealer or the latter being a part of the attack chain, they said the stealer, like the ones used by Kimsuky, searches for a specific AhnLab real-time detection window class name and hides itself from the infected user's view if it finds a match.

The information stealer also contains an encrypted payload in resources which, when decrypted, downloads additional resources using the domain, which Kimsuky has used on several occasions.

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.