eScan Antivirus Service Delivering Updates over HTTP was Attacked and Infected by Hackers

Hackers exploited a vulnerability in an antivirus service to distribute malware to unsuspecting users for a staggering five years. The attack targeted eScan Antivirus, a company based in India, which had been delivering updates over HTTP, a protocol known for its susceptibility to cyberattacks that manipulate or compromise data during transmission. Security researchers from Avast revealed that the perpetrators, possibly linked to the North Korean government, executed a sophisticated man-in-the-middle (MitM) attack. This tactic involved intercepting legitimate updates from eScan's servers and replacing them with malicious files, ultimately installing a backdoor known as GuptiMiner.

The complex nature of the attack involved a chain of infections. Initially, eScan applications communicated with the update system, providing an opportunity for threat actors to intercept and replace the update packages. The exact method of interception remains unclear, though researchers speculate that compromised networks may have facilitated the malicious redirection of traffic. To evade detection, the malware employed DLL hijacking and utilized custom domain name system (DNS) servers for connecting to attacker-controlled channels. Later iterations of the attack employed IP address masking to obfuscate the command-and-control (C&C) infrastructure.

Additionally, some variants of the malware hid their malicious code within image files, making detection more challenging. Moreover, the attackers installed a custom root TLS certificate to meet the digital signing requirements of certain systems, ensuring the successful installation of the malware. Surprisingly, alongside the backdoor, the payload included XMRig, an open-source cryptocurrency mining software, raising questions about the attackers' motives.

The GuptiMiner operation revealed significant security flaws in eScan's practices, including the lack of HTTPS for update delivery and the absence of digital signing to verify update integrity. Despite these shortcomings, eScan did not respond to inquiries regarding their update process design.

Users of eScan Antivirus are advised to review Avast's post for information on potential infections, although it's likely that most reputable antivirus programs would detect this threat. This incident underscores the importance of robust security measures in safeguarding against sophisticated cyberattacks.