North Korean Hackers Exploit Antivirus Flaw to Spread Malware for Five Years
April 23, 2024North Korean hackers have compromised eScan antivirus software updates delivered via HTTP to install GuptiMiner malware.
The sophisticated attack used DLL hijacking, custom DNS, and IP masking, focusing on Windows 7 and Server 2008 systems.
GuptiMiner's installation also included a cryptocurrency miner, possibly as a distraction from the primary malware activities.
Security researchers suggest ties between the GuptiMiner malware and the North Korean APT group Kimsuki.
eScan has patched the update vulnerability and improved its security, though GuptiMiner infections persist, suggesting some systems remain unpatched.
Avast has published a GitHub page listing indicators of compromise, and users are advised to scan their systems for infections.
Summary based on 2 sources
Get a daily email with more Tech stories
Sources
Ars Technica • Apr 23, 2024
Hackers infect users of antivirus service that delivered updates over HTTPBleepingComputer • Apr 23, 2024
Hackers hijack antivirus updates to drop GuptiMiner malware