{"id":21657,"date":"2024-04-25T12:58:14","date_gmt":"2024-04-25T12:58:14","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=21657"},"modified":"2024-04-25T19:23:01","modified_gmt":"2024-04-25T19:23:01","slug":"guptiminer-escan-miners-backdoors","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/guptiminer-escan-miners-backdoors\/","title":{"rendered":"GuptiMiner Use eScan to Spread Miners and Backdoors"},"content":{"rendered":"

A recent report by Avast researchers identified an old-timer malware called GuptiMiner. It uses the eScan antivirus update mechanism to stealthily inject backdoors and cryptocurrency mining programs<\/strong> into users’ computer systems and large corporate networks. This is further evidence that cybercriminals are adapting their techniques to bypass modern security measures. Let’s look at the situation.<\/p>\n

Campaign discovery and GuptiMiner<\/h2>\n

Avast specialists analyzed the activity<\/a> of the GuptiMiner malware active since 2018. GuptiMiner is a sophisticated malware that aims at spreading backdoors and performing hidden cryptomining in corporate networks. The malware utilizes a multi-stage infection chain. It starts by hijacking antivirus software updates through man-in-the-middle<\/a> (MitM) attacks. This allows attackers to substitute legitimate updates for malicious ones.<\/p>\n

Avast informed eScan and India CERT of the found vulnerability, which was successfully patched<\/strong> on July 31, 2023. However, since users rarely install more than one antivirus, this limits the ability to detect and analyze the full scope of GuptiMiner’s activities.<\/p>\n

\"GuptiMiner\u2019s<\/p>\n

This malware uses a complex infection chain. The attack starts by intercepting eScan antivirus updates. The update program is downloaded from the server, but in its path is an attacker who substitutes it with a malicious one. Next, eScan decompresses and downloads the package, initiating a chain of infection using a DLL. This DLL allows the virus to control further downloads<\/strong> and code execution.<\/p>\n

\"GuptiMiner
GuptiMiner is requesting the payload from a real IP address<\/figcaption><\/figure>\n

Next, GuptiMiner uses a sideloading technique to inject malicious code into trusted processes, which allows the program to remain invisible to antivirus systems. The malware also communicates with remote command and control (C2) servers<\/a> to receive commands and updates. This allows attackers to control infected systems, run additional malicious processes, or conduct cryptocurrency mining.<\/p>\n

How does GuptiMiner work?<\/h2>\n

GuptiMiner analysis revealed that the malware used a variety of sophisticated techniques to install and hide its presence on the system. Key techniques included sideloading DLL, modifying system files, and using forged digital signatures to simulate legitimacy.<\/p>\n

Also, one of the characteristic features of GuptiMiner is its ability to modularize infections. This includes performing DNS queries to the attacker’s DNS servers<\/strong> and extracting useful data from innocent-looking images. In addition to its core functionality of installing backdoors<\/a>, GuptiMiner unexpectedly spreads the XMRig miner used to mine the Monero cryptocurrency.<\/p>\n

The process of dynamically assigning mining threads for XMRig:
\nxmrig_shellcode_copy_ = xmrig_shellcode_copy;
\nnum_cores_ = num_cores;
\ndword_140020908 = 25;
\nxmrig_shellcode_copy-\u203amax_cpu_usage = '53';
\nxmrig_shellcode_copy_->threads = '1';
\nif (num_cores_ >= 6)
\nxmrig_shellcode_copy_-\u203athreads = '2';
\nif ( num_cores_ >= 8 )
\nxmrig_shellcode_copy_->threads = '3';<\/code><\/p>\n

The malware has been identified as potentially linked to the Kimsuky, a prominent North Korean hacking group. This indicates possible state sponsorship and a high degree of organization of the attacks. Before, North Korean hackers showed a certain degree of interest in acquiring cryptocurrency<\/a>. So, this should not be too much of a surprise.<\/p>\n

Two Different types of Backdoors<\/h3>\n

While analyzing the GuptiMiner malware, researchers identified two different types of backdoors<\/a>. Both types of backdoors were designed to function as part of a large-scale and well-planned campaign. But each was designed to perform specific tasks on infected corporate networks.<\/p>\n