• Antivirus updates hijacked to drop dangerous malware

    From TechnologyDaily@1337:1/100 to All on Wed Apr 24 13:15:05 2024
    Antivirus updates hijacked to drop dangerous malware

    Date:
    Wed, 24 Apr 2024 13:05:52 +0000

    Description:
    Malware discovered hiding in virus database updates by Avast researchers.

    FULL STORY ======================================================================

    Imagine if your antivirus program infected your computer with malware - thats exactly what happened to some eScan antivirus users recently.

    A new report from Avast has explained how a threat actor, possibly of North Korean affiliation, used a vulnerability in the antivirus program to sideload a backdoor called GuptiMiner.

    Apparently, after obtaining an adversary-in-the-middle (AitM) position on the target endpoint, hackers were able to hijack the virus definition update, and have it carry malware, as well. The virus definition database would be
    updated as normal, but the antivirus program would also be abused to execute and run GuptiMiner. Kimsuki attacks

    The backdoors name might be somewhat confusing, because this isnt a miner - a piece of malicious code that secretly mines cryptocurrency for the attackers. GuptiMiner is a backdoor that analyzes the environment to see if its running in a sandbox, disables various antivirus and endpoint protection tools, and drops additional payloads.

    Among those additional payloads is, ironically enough, XMRig - an actual cryptocurrency miner.

    Avast has attributed this attack to Kimsuki since GuptiMiner is quite similar to the Kimsuky keylogger. Furthermore, in both instances the mygamesonline[.]org domain was used.

    XMRig is not the only piece of malicious code that Kimsuki dropped on their targets. There was also an improved version of the Putty Link backdoor, as well as an unnamed, complex modular malware that steals private keys, crypto wallet information, and more.

    The targets seem to be mostly big corporations.

    Since the discovery of the campaign, eScan was notified and has subsequently plugged the hole. According to BleepingComputer , the company also said it received a similar report back in 2019. A year later, it implemented a robust checking mechanism, to ensure the rejection of non-signed binaries.

    In conclusion, eScan users should update their antivirus programs
    immediately, as Kimsuki is still going after those who didnt patch up. More from TechRadar Pro North Korean hacking group attacks ScreenConnect flaws to drop dangerous new malware Here's a list of the best firewalls around today These are the best endpoint security tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/antivirus-updates-hijacked-to-drop-dang erous-malware


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)