North Korean hackers have been utilizing the updating system of the eScan antivirus to infiltrate major corporate networks and distribute cryptocurrency miners via the GuptiMiner malware, according to researchers.
GuptiMiner, described as a highly sophisticated threat, possesses capabilities such as performing DNS requests to the attacker’s DNS servers, extracting payloads from images, signing its payloads, and engaging in DLL sideloading.
The delivery of GuptiMiner through eScan updates involves a technique where the threat actor intercepts the normal virus definition update package and substitutes it with a malicious one labeled ‘updll62.dlz.’ This malicious file contains both the required antivirus updates and the GuptiMiner malware disguised as a DLL file named ‘version.dll.’
Upon processing the package, the eScan updater unpacks and executes it as usual. At this stage, the DLL is sideloaded by legitimate eScan binaries, granting the malware system-level privileges.
Following this, the DLL retrieves additional payloads from the attacker’s infrastructure, establishes persistence on the host through scheduled tasks, manipulates DNS settings, injects shellcode into legitimate processes, utilizes code virtualization, encrypts payloads in the Windows registry, and extracts PEs from PNGs.
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: