"Hackers Hijack Antivirus Updates to Drop GuptiMiner Malware"

North Korean hackers have been exploiting eScan antivirus' updating mechanism to install backdoors on large corporate networks and deliver cryptocurrency miners via "GuptiMiner" malware. GuptiMiner is described as "a highly sophisticated threat" capable of making Domain Name System (DNS) requests to the attacker's DNS servers, extracting payloads from images, signing payloads, and performing Dynamic Link Library (DLL) sideloading. According to a new report from Avast, the threat actor behind GuptiMiner used an Adversary-in-the-Middle (AitM) position to hijack the virus definition update package and replace it with a malicious one. This article continues to discuss findings regarding the distribution of GuptiMiner malware. 

Bleeping Computer reports "Hackers Hijack Antivirus Updates to Drop GuptiMiner Malware"

Submitted by grigby1

Submitted by Gregory Rigby on