Antivirus updates hijacked to drop dangerous malware

Apparently, after obtaining an adversary-in-the-middle (AitM) position on the target endpoint, hackers were able to hijack the virus definition update, and have it carry malware, as well. The virus definition database would be updated as normal, but the antivirus program would also be abused to execute and run GuptiMiner.

Kimsuki attacks

The backdoor’s name might be somewhat confusing, because this isn’t a miner - a piece of malicious code that secretly mines cryptocurrency for the attackers. GuptiMiner is a backdoor that analyzes the environment to see if it’s running in a sandbox, disables various antivirus and endpoint protection tools, and drops additional payloads.

Among those additional payloads is, ironically enough, XMRig - an actual cryptocurrency miner. 

Avast has attributed this attack to Kimsuki since GuptiMiner is quite similar to the Kimsuky keylogger. Furthermore, in both instances the mygamesonline[.]org domain was used. 

XMRig is not the only piece of malicious code that Kimsuki dropped on their targets. There was also an improved version of the Putty Link backdoor, as well as an unnamed, “complex modular malware” that steals private keys, crypto wallet information, and more. 

The targets seem to be mostly big corporations.

Since the discovery of the campaign, eScan was notified and has subsequently plugged the hole. According to BleepingComputer, the company also said it received a similar report back in 2019. A year later, it implemented a robust checking mechanism, to ensure the rejection of non-signed binaries.

In conclusion, eScan users should update their antivirus programs immediately, as Kimsuki is still going after those who didn’t patch up.

More from TechRadar Pro

• North Korean hacking group attacks ScreenConnect flaws to drop dangerous new malware
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now