Threat actors have been using a flaw in eScan, an Indian antivirus vendor, to distribute GuptiMiner malware by performing man-in-the-middle (MitM) attacks.
Cybercriminals use GuptiMiner to target large organisations, and researchers have identified two backdoor variants of the malware. The first is an upgraded PuTTY Link build that provides SMB scanning of the local networks, thereby enabling lateral movement across the network. This variant is specifically used to target Windows 7 and Windows Server 2008.
A second variant is a multi-modular tool used to install more modules on the system while simultaneously looking for stored private keys and crypto wallets on the device.
“GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others,” explained researchers. “The final payload distributed by GuptiMiner was also XMRig.”
The infection chain starts when eScan requests the updated files from the server. However, due to the threat actors’ man-in-the-middle (MitM) attacks, the malicious package swaps the legitimate files. When eScan unpacks the package, a DLL is sideloaded by the binaries, enabling the rest of the attack chain to follow.
Here’s how the installation process works:
- After initiating the eScan update process, the MitM attacks swap legitimate files with malicious ones.
- A malicious file package, updll62.dlz, is downloaded and starts to unpack.
- Now, the malicious package’s contents begin to sideload, and as the DLL has the same privileges as the legitimate eScan software, the malware loads each time eScan runs on the device.
- If a mutual exclusion object (mutex) is absent, the malware searches for services.exe to start the next stage of infection.
- Finally, to offer persistence, a clean up is done and the updated package is removed.
Researchers also found that the malicious DLL loads several additional functions not present in the clean package. One of these functions, the X64Call, is a helper function used for running a x64 code so that the malware is able to inject and run shellcode depending on the OS version.
This shellcode, reading an embedded PE file in a plaintext format, will act as a older for the next stage of infection. Furthermore, the shellcode deletes the PE’s DOS header and removes the embedded PE from memory.
Every shellcode loaded by the malware transforms the command line of the current process. To do this, the malware changes the GetCommandLineA/W result in the Task Manager.
Researchers discovered that another version with the mutex ONLY_ME_V3 runs a code virtualisation by adding another section in the .v_lizer PE file.
The authors of the malware updated the installation process over time and were able to add scheduled tasks, Windows Management Instrumentation (WMI) events, two PNG loaders, turning off Windows Defender during the process, and installing Windows certificates.
The WMI events are used by the malware to load the first of the two PNG loaders to C:\PROGRAMDATA\AMD\CNext\atiadlxx.dll path. Along with this, additional clean files are also downloaded to several locations on the device.
One of the interesting points about GuptiMiner is that the malware downloads the final PNG load only when the system initiates a shutdown as during the shutdown, the other processes are under the shutdown process and are not protecting the device.
Also, during the installation, GuptiMiner adds a root certificate to Windows’ certificate to further authenticate the process. To obtain persistence, the authors stored the payloads in registry keys and encrypted the payloads using the XOR fixed key.
Researchers notified eScan and CERT-In and the company released a patch in August 2023.
In the News: Microsoft debuts Phi-3 Mini lightweight LLM model for smartphones
