North Korean Hackers Exploit eScan Antivirus Backdoor

Avast uncovered a critical security flaw in eScan antivirus software exploited by North Korean hacking group Kimsuky to distribute backdoors and cryptocurrency miners. The vulnerability, unnoticed for five years, allowed attackers to hijack legitimate updates with malicious versions through an adversary-in-the-middle attack.

author-image
Trim Correspondents
New Update
North Korean Hackers Exploit eScan Antivirus Backdoor

North Korean Hackers Exploit eScan Antivirus Backdoor

Cybersecurity firm Avast has uncovered a critical security flaw in eScan antivirus software that has been exploited by the North Korean hacking group Kimsuky to distribute backdoors and cryptocurrency miners. The vulnerability, which went unnoticed for at least five years before being patched on July 31, 2023, allowed attackers to hijack legitimate updates and replace them with malicious versions through an adversary-in-the-middle (AitM) attack.

Why this matters: This exploit highlights the growing threat of nation-state sponsored cyber attacks, which can have devastating consequences for businesses and individuals alike. The fact that a vulnerability went unnoticed for five years also underscores the need for constant vigilance and proactive security measures to stay ahead of sophisticated threats.

The exploit has been linked to asophisticated threatknown as GuptiMiner, which employs a complex infection chain and various techniques to evade detection. GuptiMiner hosts its own DNS servers to serve true destination domain addresses of command and control (C2) servers and executes a series of payloads, ultimately deploying the XMRig cryptocurrency miner and backdoors on infected systems.

Avast has identified two types of backdoors deployed by GuptiMiner, both equipped with features for lateral movement and remote command execution. One of the backdoors, an enhanced build of PuTTY Link, facilitates SMB scanning and lateral movement to potentially vulnerable systems within the network. The malware also employs various evasion techniques, including anti-VM and anti-debug tricks, code virtualization, and storing payloads in the Windows Registry.

The links between GuptiMiner and North Korean threat actors raise concerns about the campaign's objectives and targets. While the exact targets remain unclear, GuptiMiner artifacts have been traced back to India and Germany, with new infections likely originating from outdated eScan clients. The campaign coincides with reports of North Korean hacking crews targeting the defense sector, particularly in South Korea.

The eScan antivirus backdoor exploit poses a significant threat to large corporate networks, potentially resulting in substantial financial losses and data breaches. Businesses must remain vigilant, regularly update their security software, and implement comprehensive defense strategies to mitigate the risk of sophisticated cyber attacks. Exploring secure alternatives to eScan and enhancing business network security with robust protection against cyber threats is crucial in the face of such exploits.