GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining
Contents
Key Points
- Avast discovered and analyzed a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers
- Avast disclosed the vulnerability to both eScan antivirus and India CERT. On 2023-07-31, eScan confirmed that the issue was fixed and successfully resolved
- The campaign was orchestrated by a threat actor with possible ties to Kimsuky
- Two different types of backdoors have been discovered, targeting large corporate networks
- The final payload distributed by GuptiMiner was also XMRig
Introduction
We’ve been tracking a curious one here. Firstly, GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.
The main objective of GuptiMiner is to distribute backdoors within big corporate networks. We’ve encountered two different variants of …
- Avast discovered and analyzed a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers
- Avast disclosed the vulnerability to both eScan antivirus and India CERT. On 2023-07-31, eScan confirmed that the issue was fixed and successfully resolved
- The campaign was orchestrated by a threat actor with possible ties to Kimsuky
- Two different types of backdoors have been discovered, targeting large corporate networks
- The final payload distributed by GuptiMiner was also XMRig
Introduction
We’ve been tracking a curious one here. Firstly, GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.
The main objective of GuptiMiner is to distribute backdoors within big corporate networks. We’ve encountered two different variants of …
IoC
07beca60c0a50520b8dbc0b8cc2d56614dd48fef0466f846a0a03afbfc42349d
179.38.204.38
185.248.160.141
185.45.192.43
1c31d06cbdf961867ec788288b74bee0db7f07a75ae06d45d30355c0bc7b09fe
1fbc562b08637a111464ba182cd22b1286a185f7cfba143505b99b07313c97a4
23.195.101.1
294b73d38b89ce66cfdefa04b1678edf1b74a9b7f50343d9036a5d549ade509a
31070C2EA30E6B4E1C270DF94BE1036AE7F8616B
31dfba1b102bbf4092b25e63aae0f27386c480c10191c96c04295cb284f20878
3515113e7127dc41fb34c447f35c143f1b33fd70913034742e44ee7a9dc5cc4c
357009a70daacfc3379560286a134b89e1874ab930d84edb2d3ba418f7ad6a0b
364984e8d62eb42fd880755a296bd4a93cc071b9705c1f1b43e4c19dd84adc65
487624b44b43dacb45fd93d03e25c9f6d919eaa6f01e365bb71897a385919ddd
4dfd082eee771b7801b2ddcea9680457f76d4888c64bb0b45d4ea616f0a47f21
529763AC53562BE3C1BB2C42BCAB51E3AD8F8A56
6305d66aac77098107e3aa6d85af1c2e3fc2bb1f639e4a9da619c8409104c414
74D7F1AF69FB706E87FF0116B8E4FA3A9B87275505E2EE7A32A8628A2D066549
74d7f1af69fb706e87ff0116b8e4fa3a9b87275505e2ee7a32a8628a2d066549
7a1554fe1c504786402d97edecc10c3aa12bd6b7b7b101cfc7a009ae88dd99c6
7f1221c613b9de2da62da613b8b7c9afde2ea026fe6b88198a65c9485ded7b3d
8446d4fc1310b31238f9a610cd25ea832925a25e758b9a41eea66f998163bb34
8e96d15864ec0cc6d3976d87e9e76e6eeccc23c551b22dcfacb60232773ec049
af9f1331ac671d241bf62240aa52389059b4071a0635cb9cb58fa78ab942a33b
b0f94d84888dffacbc10bd7f9983b2d681b55d7e932c2d952d47ee606058df54
c3122448ae3b21ac2431d8fd523451ff25de7f6e399ff013d6fa6953a7998fa3
d5bc6cf988c6d3c60e71195d8a5c2f7525f633bb54059688ad8cfa1d4b72aa6c
dddc57299857e6ecb2b80cbab2ae6f1978e89c4bfe664c7607129b0fc8db8b1f
de48abe380bd84b5dc940743ad6727d0372f602a8871a4a0ae2a53b15e1b1739
e0dd8af1b70f47374b0714e3b368e20dbcfa45c6fe8f4a2e72314f4cd3ef16ee
f0ccfcb5d49d08e9e66b67bb3fedc476fdf5476a432306e78ddaaba4f8e3bbc4
f656a418fca7c4275f2441840faaeb70947e4f39d3826d6d2e50a3e7b8120e4e
ff884d4c01fccf08a916f1e7168080a2d740a62a774f18e64f377d23923b0297
http://179.38.204.38
http://185.248.160.141
http://185.45.192.43
http://185.45.192.43/elimp/
http://23.195.101.1
http://_spf.microsoft.com
http://acmeautoleasing.net
http://b.guterman.net
http://breedbackfp.com
http://crl.microsoft.com
http://crl.peepzo.com
http://crl.sneakerhost.com
http://desmoinesreg.com
http://dl.sneakerhost.com/u
http://dl.sneakerhost.com
http://edgesync.net
http://espcomp.net
http://ext.microsoft.com
http://ext.peepzo.com
http://ext.peepzo.com|
http://ext.sneakerhost.com
http://gesucht.net
http://globalsign.microsoft.com
http://icamper.net
http://m.airequipment.net
http://m.cbacontrols.com
http://m.gosoengine.com
http://m.guterman.net
http://m.indpendant.com
http://m.insomniaccinema.com
http://m.korkyt.net
http://m.satchmos.net
http://m.sifraco.com
http://mygamesonline.org
http://ns.bretzger.net
http://ns.deannacraite.com
http://ns.desmoinesreg.com
http://ns.dreamsoles.com
http://ns.editaccess.com
http://ns.encontacto.net
http://ns.gravelmart.net
http://ns.gridsense.net
http://ns.jetmediauk.com
http://ns.kbdn.net
http://ns.lesagencestv.net
http://ns.penawarkanser.net
http://ns.srnmicro.net
http://ns.suechiLton.com
http://ns.trafomo.com
http://ns1.earthscienceclass.com
http://ns1.peepzo.com
http://ns1.securtelecom.com
http://ns1.sneakerhost.com
http://p.bramco.net
http://p.hashvault.pro
http://r.sifraco.com
http://spf.microsoft.com
http://stwu.mygamesonline.org/home/buy.php?filename=%s&key=%s
http://stwu.mygamesonline.org/home/sel.php
http://update3.mwti.net/pub/update/updll3.dlz
http://widgeonhill.com
http://www.bascap.net
http://www.deanmiller.net/m/
http://www.elimpacific.net
http://www.righttrak.net:443
https://m.airequipment.net/gpse/
179.38.204.38
185.248.160.141
185.45.192.43
1c31d06cbdf961867ec788288b74bee0db7f07a75ae06d45d30355c0bc7b09fe
1fbc562b08637a111464ba182cd22b1286a185f7cfba143505b99b07313c97a4
23.195.101.1
294b73d38b89ce66cfdefa04b1678edf1b74a9b7f50343d9036a5d549ade509a
31070C2EA30E6B4E1C270DF94BE1036AE7F8616B
31dfba1b102bbf4092b25e63aae0f27386c480c10191c96c04295cb284f20878
3515113e7127dc41fb34c447f35c143f1b33fd70913034742e44ee7a9dc5cc4c
357009a70daacfc3379560286a134b89e1874ab930d84edb2d3ba418f7ad6a0b
364984e8d62eb42fd880755a296bd4a93cc071b9705c1f1b43e4c19dd84adc65
487624b44b43dacb45fd93d03e25c9f6d919eaa6f01e365bb71897a385919ddd
4dfd082eee771b7801b2ddcea9680457f76d4888c64bb0b45d4ea616f0a47f21
529763AC53562BE3C1BB2C42BCAB51E3AD8F8A56
6305d66aac77098107e3aa6d85af1c2e3fc2bb1f639e4a9da619c8409104c414
74D7F1AF69FB706E87FF0116B8E4FA3A9B87275505E2EE7A32A8628A2D066549
74d7f1af69fb706e87ff0116b8e4fa3a9b87275505e2ee7a32a8628a2d066549
7a1554fe1c504786402d97edecc10c3aa12bd6b7b7b101cfc7a009ae88dd99c6
7f1221c613b9de2da62da613b8b7c9afde2ea026fe6b88198a65c9485ded7b3d
8446d4fc1310b31238f9a610cd25ea832925a25e758b9a41eea66f998163bb34
8e96d15864ec0cc6d3976d87e9e76e6eeccc23c551b22dcfacb60232773ec049
af9f1331ac671d241bf62240aa52389059b4071a0635cb9cb58fa78ab942a33b
b0f94d84888dffacbc10bd7f9983b2d681b55d7e932c2d952d47ee606058df54
c3122448ae3b21ac2431d8fd523451ff25de7f6e399ff013d6fa6953a7998fa3
d5bc6cf988c6d3c60e71195d8a5c2f7525f633bb54059688ad8cfa1d4b72aa6c
dddc57299857e6ecb2b80cbab2ae6f1978e89c4bfe664c7607129b0fc8db8b1f
de48abe380bd84b5dc940743ad6727d0372f602a8871a4a0ae2a53b15e1b1739
e0dd8af1b70f47374b0714e3b368e20dbcfa45c6fe8f4a2e72314f4cd3ef16ee
f0ccfcb5d49d08e9e66b67bb3fedc476fdf5476a432306e78ddaaba4f8e3bbc4
f656a418fca7c4275f2441840faaeb70947e4f39d3826d6d2e50a3e7b8120e4e
ff884d4c01fccf08a916f1e7168080a2d740a62a774f18e64f377d23923b0297
http://179.38.204.38
http://185.248.160.141
http://185.45.192.43
http://185.45.192.43/elimp/
http://23.195.101.1
http://_spf.microsoft.com
http://acmeautoleasing.net
http://b.guterman.net
http://breedbackfp.com
http://crl.microsoft.com
http://crl.peepzo.com
http://crl.sneakerhost.com
http://desmoinesreg.com
http://dl.sneakerhost.com/u
http://dl.sneakerhost.com
http://edgesync.net
http://espcomp.net
http://ext.microsoft.com
http://ext.peepzo.com
http://ext.peepzo.com|
http://ext.sneakerhost.com
http://gesucht.net
http://globalsign.microsoft.com
http://icamper.net
http://m.airequipment.net
http://m.cbacontrols.com
http://m.gosoengine.com
http://m.guterman.net
http://m.indpendant.com
http://m.insomniaccinema.com
http://m.korkyt.net
http://m.satchmos.net
http://m.sifraco.com
http://mygamesonline.org
http://ns.bretzger.net
http://ns.deannacraite.com
http://ns.desmoinesreg.com
http://ns.dreamsoles.com
http://ns.editaccess.com
http://ns.encontacto.net
http://ns.gravelmart.net
http://ns.gridsense.net
http://ns.jetmediauk.com
http://ns.kbdn.net
http://ns.lesagencestv.net
http://ns.penawarkanser.net
http://ns.srnmicro.net
http://ns.suechiLton.com
http://ns.trafomo.com
http://ns1.earthscienceclass.com
http://ns1.peepzo.com
http://ns1.securtelecom.com
http://ns1.sneakerhost.com
http://p.bramco.net
http://p.hashvault.pro
http://r.sifraco.com
http://spf.microsoft.com
http://stwu.mygamesonline.org/home/buy.php?filename=%s&key=%s
http://stwu.mygamesonline.org/home/sel.php
http://update3.mwti.net/pub/update/updll3.dlz
http://widgeonhill.com
http://www.bascap.net
http://www.deanmiller.net/m/
http://www.elimpacific.net
http://www.righttrak.net:443
https://m.airequipment.net/gpse/