GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining

2024-04-23 Avast

https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/

Thumbnail for GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining

Avast analyzed GuptiMiner, a long-running malware operation that hijacked the eScan antivirus update mechanism through a man-in-the-middle attack to deliver backdoors and XMRig. The infection chain used DNS requests to attacker-controlled DNS servers, DLL sideloading, payloads hidden in appended image data, and payloads signed with a custom trusted root certificate authority. Avast found two backdoor families for large corporate networks: an enhanced PuTTY Link build for SMB scanning and lateral movement, and a modular backdoor that can install more modules and search for private keys and cryptowallets. The report describes possible ties to Kimsuky based on similarities between a Kimsuky keylogger and parts of the GuptiMiner operation.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN mygamesonline.org 2020-03-20 2025-05-13
HASH d5bc6cf988c6d3c60e71195d8a5c2f7… 2024-04-23 2024-04-23
HASH 1fbc562b08637a111464ba182cd22b1… 2024-04-23 2024-04-23
HASH af9f1331ac671d241bf62240aa52389… 2024-04-23 2024-04-23
HASH 357009a70daacfc3379560286a134b8… 2024-04-23 2024-04-23
HASH 4dfd082eee771b7801b2ddcea968045… 2024-04-23 2024-04-23
HASH 31dfba1b102bbf4092b25e63aae0f27… 2024-04-23 2024-04-23
HASH 7a1554fe1c504786402d97edecc10c3… 2024-04-23 2024-04-23
HASH 8446d4fc1310b31238f9a610cd25ea8… 2024-04-23 2024-04-23
HASH 31070c2ea30e6b4e1c270df94be1036… 2024-04-23 2024-04-23
HASH 8e96d15864ec0cc6d3976d87e9e76e6… 2024-04-23 2024-04-23
HASH 1c31d06cbdf961867ec788288b74bee… 2024-04-23 2024-04-23
HASH b0f94d84888dffacbc10bd7f9983b2d… 2024-04-23 2024-04-23
HASH e0dd8af1b70f47374b0714e3b368e20… 2024-04-23 2024-04-23
HASH 364984e8d62eb42fd880755a296bd4a… 2024-04-23 2024-04-23
HASH de48abe380bd84b5dc940743ad6727d… 2024-04-23 2024-04-23
HASH c3122448ae3b21ac2431d8fd523451f… 2024-04-23 2024-04-23
HASH 294b73d38b89ce66cfdefa04b1678ed… 2024-04-23 2024-04-23
HASH 6305d66aac77098107e3aa6d85af1c2… 2024-04-23 2024-04-23
HASH ff884d4c01fccf08a916f1e7168080a… 2024-04-23 2024-04-23
HASH 07beca60c0a50520b8dbc0b8cc2d566… 2024-04-23 2024-04-23
HASH 487624b44b43dacb45fd93d03e25c9f… 2024-04-23 2024-04-23
HASH 74d7f1af69fb706e87ff0116b8e4fa3… 2024-04-23 2024-04-23
HASH 3515113e7127dc41fb34c447f35c143… 2024-04-23 2024-04-23
HASH f0ccfcb5d49d08e9e66b67bb3fedc47… 2024-04-23 2024-04-23
HASH 7f1221c613b9de2da62da613b8b7c9a… 2024-04-23 2024-04-23
HASH 529763ac53562be3c1bb2c42bcab51e… 2024-04-23 2024-04-23
HASH f656a418fca7c4275f2441840faaeb7… 2024-04-23 2024-04-23
URL http://stwu.mygamesonline.org/h… 2024-04-23 2024-04-23
URL https://m.airequipment.net/gpse/ 2024-04-23 2024-04-23
URL http://stwu.mygamesonline.org/h… 2024-04-23 2024-04-23
URL http://www.deanmiller.net/m/ 2024-04-23 2024-04-23
URL http://update3.mwti.net/pub/upd… 2024-04-23 2024-04-23
DOMAIN ext.peepzo.com 2024-04-23 2024-04-23
DOMAIN m.gosoengine.com 2024-04-23 2024-04-23
DOMAIN ns.editaccess.com 2024-04-23 2024-04-23
DOMAIN m.cbacontrols.com 2024-04-23 2024-04-23
DOMAIN ns.trafomo.com 2024-04-23 2024-04-23
DOMAIN ns1.securtelecom.com 2024-04-23 2024-04-23
DOMAIN m.sifraco.com 2024-04-23 2024-04-23
DOMAIN messi.com 2024-04-23 2024-04-23
DOMAIN acmeautoleasing.net 2024-04-23 2024-04-23
DOMAIN ns.kbdn.net 2024-04-23 2024-04-23
DOMAIN ns1.earthscienceclass.com 2024-04-23 2024-04-23
DOMAIN ns.desmoinesreg.com 2024-04-23 2024-04-23
DOMAIN p.bramco.net 2024-04-23 2024-04-23
DOMAIN ns.gridsense.net 2024-04-23 2024-04-23
DOMAIN edgesync.net 2024-04-23 2024-04-23
DOMAIN update3.mwti.net 2024-04-23 2024-04-23
DOMAIN ns.suechilton.com 2024-04-23 2024-04-23
DOMAIN r.sifraco.com 2024-04-23 2024-04-23
DOMAIN ext.sneakerhost.com 2024-04-23 2024-04-23
DOMAIN ns.srnmicro.net 2024-04-23 2024-04-23
DOMAIN ns1.peepzo.com 2024-04-23 2024-04-23
DOMAIN icamper.net 2024-04-23 2024-04-23
DOMAIN gesucht.net 2024-04-23 2024-04-23
DOMAIN dl.sneakerhost.com 2024-04-23 2024-04-23
DOMAIN widgeonhill.com 2024-04-23 2024-04-23
DOMAIN crl.sneakerhost.com 2024-04-23 2024-04-23
DOMAIN m.airequipment.net 2024-04-23 2024-04-23
DOMAIN ns.penawarkanser.net 2024-04-23 2024-04-23
DOMAIN m.satchmos.net 2024-04-23 2024-04-23
DOMAIN desmoinesreg.com 2024-04-23 2024-04-23
DOMAIN ns.gravelmart.net 2024-04-23 2024-04-23
DOMAIN ns1.sneakerhost.com 2024-04-23 2024-04-23
DOMAIN m.insomniaccinema.com 2024-04-23 2024-04-23
DOMAIN m.korkyt.net 2024-04-23 2024-04-23
DOMAIN breedbackfp.com 2024-04-23 2024-04-23
DOMAIN ns.deannacraite.com 2024-04-23 2024-04-23
DOMAIN ns.jetmediauk.com 2024-04-23 2024-04-23
DOMAIN ns.dreamsoles.com 2024-04-23 2024-04-23
DOMAIN espcomp.net 2024-04-23 2024-04-23
DOMAIN stwu.mygamesonline.org 2024-04-23 2024-04-23
DOMAIN ns.encontacto.net 2024-04-23 2024-04-23
DOMAIN m.guterman.net 2024-04-23 2024-04-23
DOMAIN ns.bretzger.net 2024-04-23 2024-04-23
DOMAIN m.indpendant.com 2024-04-23 2024-04-23
DOMAIN crl.peepzo.com 2024-04-23 2024-04-23
DOMAIN ns.lesagencestv.net 2024-04-23 2024-04-23
DOMAIN b.guterman.net 2024-04-23 2024-04-23
IPv4 185.248.160.141 2024-04-23 2024-04-23
IPv4 179.38.204.38 2024-04-23 2024-04-23
IPv4 185.45.192.43 2024-04-23 2024-04-23
IPv4 23.195.101.1 2024-04-23 2024-04-23
HASH dddc57299857e6ecb2b80cbab2ae6f1… 2021-11-10 2024-04-23

Related Actors

Related Reports

« Back