Hackers Hijack Antivirus Updates to Drop GuptiMiner Malware. Here is what we know. Complete look


Hackers Hijack Antivirus Updates to Drop GuptiMiner Malware. Here is what we know. Complete look

In a recent turn of events, hackers have found a new way to infiltrate corporate networks. They are exploiting the updating mechanism of the eScan antivirus to plant backdoors and deliver cryptocurrency miners through GuptiMiner malware. This article will shed light on this sophisticated threat and its implications.

The GuptiMiner Threat

GuptiMiner is described as a highly sophisticated threat. It can perform DNS requests to the attacker’s DNS servers, extract payloads from images, sign its payloads, and perform DLL sideloading. This malware is not just a simple nuisance; it’s a well-orchestrated attack that can cause significant damage to corporate networks.

The Infiltration Process of GuptiMiner Malware

The infiltration process is quite ingenious. The threat actor behind GuptiMiner had an adversary-in-the-middle (AitM) position. They hijacked the normal virus definition update package and replaced it with a malicious one named ‘updll62.dlz’. This malicious file includes the necessary antivirus updates as well as a GuptiMiner malware as a DLL file named ‘version.dll’.

The eScan updater processes the package as normal, unpacking and executing it. During that stage, the DLL is sideloaded by eScan’s legitimate binaries, giving the malware system-level privileges. Next, the DLL fetches additional payloads from the attacker’s infrastructure, establishes persistence on the host via scheduled tasks, performs DNS manipulation, injects shellcode on legitimate processes, uses code virtualization, stores XOR-encrypted payloads in the Windows registry, and extracts PEs from PNGs.

The Connection to North Korea

Researchers suggest that GuptiMiner may be linked to the North Korean APT group Kimsuki. This connection is based on similarities between the information stealing function and the Kimsuky keylogger. Some parts of the GuptiMiner operation also suggest a possible connection to Kimsuki.

The Impact

The impact of this malware is far-reaching. The hackers used GuptiMiner to deploy multiple malwares on compromised systems, including two distinct backdoors and the XMRig Monero miner. The first backdoor is an enhanced version of Putty Link, deployed on corporate systems to scan the local network for vulnerable systems and pivot points for lateral movement. The second backdoor is a complex modular malware that scans the host for stored private keys and cryptocurrency wallets.


This incident serves as a reminder of the persistent threat posed by such malware campaigns. It highlights the need for robust cybersecurity measures and the importance of keeping antivirus software up to date. As the landscape of cyber threats continues to evolve, so must our defenses against them.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.

Share this content:

Post Comment