Hackers Hijack eScan antivirus updates to distribute GuptiMiner malware

GuptiMiner, a sophisticated malware campaign, exploited vulnerabilities in the update mechanism of eScan antivirus software to distribute backdoors and cryptocurrency miners.

North Korean hackers APT group Kimsuky , performed a man-in-the-middle attack to replace legitimate updates of the eScan antivirus with malicious payloads by plant backdoors on big corporate networks and deliver cryptocurrency miners through GuptiMiner malware.

Researchers describe GuptiMiner as "a highly sophisticated threat" that can perform DNS requests to the attacker's DNS servers, extract payloads from images, sign its payloads, and perform DLL sideloading.

The campaign, active since at least 2018, targeted large corporate networks and went undetected for five years due to eScan’s insecure update process, which used HTTP instead of HTTPS. Avast researchers disclosed the vulnerability to eScan and India CERT, and eScan confirmed the issue was resolved on July 31, 2023.

The GuptiMiner malware campaign has the potential to cause significant harm to affected organizations, leading to various consequences:

Financial Losses: Unauthorized Cryptocurrency Mining: GuptiMiner’s cryptocurrency mining capabilities can result in substantial financial losses for affected organizations. By utilizing the compromised systems’ computational resources to mine Monero, the attackers effectively steal electricity and processing power, leading to increased operational costs and reduced system performance.

Productivity Losses: The unauthorized mining activities can slow down the compromised systems, affecting employee productivity and potentially disrupting business operations. This can result in lost revenue and opportunities for the affected organizations.

Data Exfiltration and Privacy Concerns: Sensitive Information Theft: GuptiMiner’s modular backdoor specifically targets sensitive information such as private keys and cryptocurrency wallets. The theft of private keys can lead to unauthorized access to other systems or sensitive data, while the loss of cryptocurrency wallets can result in the direct theft of digital assets.

Confidentiality Breaches: The malware’s ability to scan for and exfiltrate sensitive information raises serious privacy concerns. Affected organizations may face legal and regulatory consequences if confidential customer or employee data is compromised.

Reputational Damage: Public Disclosure: If an organization falls victim to the GuptiMiner campaign and the incident becomes public knowledge, it can significantly damage the organization’s reputation. Customers, partners, and stakeholders may lose trust in the organization’s ability to protect their data and maintain secure systems.

Competitive Disadvantage: The reputational damage caused by a GuptiMiner infection can put the affected organization at a competitive disadvantage, as clients and prospects may choose to do business with companies perceived as more secure.

Legal and Regulatory Consequences: Data Protection Laws: Depending on the jurisdiction and the nature of the exfiltrated data, affected organizations may face legal consequences under data protection laws such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

Compliance Violations: Organizations operating in regulated industries, such as healthcare or finance, may face additional penalties for compliance violations if the GuptiMiner campaign results in the loss of sensitive customer or patient data.

Remediation Costs: Incident Response and Investigation: Responding to a GuptiMiner infection requires a thorough incident response process, including investigation, containment, and eradication of the malware. This process can be time-consuming and costly, requiring the involvement of cybersecurity professionals and potentially external consultants.

System Restoration and Upgrades: Removing the malware and restoring affected systems to a secure state may require significant resources. In some cases, organizations may need to upgrade their hardware or software to prevent future infections, adding to the overall remediation costs. The extent of the impact on an organization will depend on factors such as the duration of the infection, the number of compromised systems, the sensitivity of the exfiltrated data, and the effectiveness of the organization’s incident response plan. However, the potential consequences of a GuptiMiner infection highlight the importance of robust cybersecurity measures, regular security assessments, and employee awareness training to minimize the risk of falling victim to such threats.

eScan is an antivirus and cybersecurity software suite developed by MicroWorld Software Services, an Indian company based in Pune. While it does not have a dominant global market share compared to industry leaders like Symantec, McAfee, and Kaspersky, eScan is a popular cybersecurity solution in India and some other Asian markets.

eScan offers various products for home users, small businesses, and enterprises, providing protection against viruses, malware, ransomware, and other cyber threats. The company claims to have millions of users worldwide, with a strong presence in the Indian subcontinent.

While exact market share figures are not readily available, eScan is considered one of the leading cybersecurity solutions in India, competing with other local and international players in the market. However, its global market share is relatively small compared to the top-tier antivirus vendors.