Hijacking The eScan Antivirus Update Mechanism To Drop Malware
GuptiMiner is a sophisticated malware that exploits vulnerabilities in the update mechanism of eScan an Indian antivirus vendor using a man-in-the-middle attack. The attack begins with eScan requesting an update intercepted by a MitM attacker who replaces the update with a malicious package. When eScan unpacks and loads the package a DLL is sideloaded enabling further malicious actions. GuptiMiner employs various techniques including DNS requests to attackers servers sideloading payload extraction from images and signing payloads with trusted root certificates. Its main goal is to distribute backdoors within corporate networks and it also installs XMRig to mine cryptocurrency on infected devices.