Campaigns
GuptiMiner's Campaign: The Trojan Tango of Infiltrating Antivirus Updates for Digital Deception

GuptiMiner's Campaign: The Trojan Tango of Infiltrating Antivirus Updates for Digital Deception

Guptiminerdns textdns serverKimsuky
Researchers have detected a malware campaign in which North Korean hackers used eScan antivirus updates to install backdoors and GuptiMiner for crypto mining on large networks. The campaign linked to Kimsuky involved multiple types of backdoors and was neutralized by eScan on July 31, 2023, following alerts to India's CERT.

Indicators of Compromise

ns.lesagencestv.net
ns.gravelmart.net
www.elimpacific.net
www.bascap.net
ns1.earthscienceclass.com
gesucht.net
crl.peepzo.com
m.korkyt.net
m.satchmos.net
ns1.securtelecom.com
ns.dreamsoles.com
ns1.peepzo.com
m.insomniaccinema.com
ns.suechilton.com
ns1.sneakerhost.com
dl.sneakerhost.com
desmoinesreg.com
ns.srnmicro.net
ns.trafomo.com
m.guterman.net
m.airequipment.net
www.righttrak.net
ns.kbdn.net
ns.deannacraite.com
ns.bretzger.net
messi.com
m.cbacontrols.com
widgeonhill.com
edgesync.net
b.guterman.net
ns.jetmediauk.com
ext.peepzo.com
www.deanmiller.net
ns.encontacto.net
m.gosoengine.com
icamper.net
acmeautoleasing.net
ns.gridsense.net
espcomp.net
ext.sneakerhost.com
ns.desmoinesreg.com
m.sifraco.com
p.bramco.net
ns.editaccess.com
www.espcomp.net
r.sifraco.com
update3.mwti.net
breedbackfp.com
ns.penawarkanser.net
crl.sneakerhost.com
m.indpendant.com
gpon.inc

APT Groups1

Kimsuky

<b>Description of MISP:</b> This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.<br><br><b>Description of Mitre:</b> Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group focuses on targeting Korean think tank as well as DPRK/nuclear-related targets. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise.[1][2]<br><br><b>Description of Etda:</b> (Kaspersky) For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers and these malware attacks are mostly ignored.<br><br>

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATIONS


You can put in place a number of detection and prevention strategies to deal with DLL side-loading vulnerabilities:


Application Developer Guidance (M1013): Insist that hash values be included in manifest files for applications. This method prevents efforts to side-load malicious versions of DLLs by ensuring that the application only loads verified, authentic versions.

Software Update (M1051): Update your program to fix any security flaws that could lead to DLL side-loading. This covers routine updates for all software programs as well as the operating system.


To identify potential side-loading of DLLs:


File monitoring: Pay attention to any changes to a file's rights or properties, since these could point to the installation of unauthorized DLLs, as well as any new files that are created in regular directories.

Module Load Monitoring: Keep a close eye on anything pertaining to the generation and usage of DLL or PE files.


Reports & References1

Observed Countries250

AD (310)
AE (879)
AF (224)
AG (81)
AI (630)
AL (953)
AM (299)
AO (236)
AQ (313)
AR (102)
AS (268)
AT (39)
AU (464)
AW (622)
AX (31)
AZ (25)
BA (614)
BB (647)
BD (458)
BE (280)
BF (182)
BG (308)
BH (323)
BI (235)
BJ (683)
BL (566)
BM (767)
BN (147)
BO (936)
BQ (730)
BR (109)
BS (752)
BT (313)
BV (496)
BW (356)
BY (370)
BZ (26)
CA (115)
CC (272)
CD (2)
CF (383)
CG (490)
CH (516)
CI (363)
CK (177)
CL (124)
CM (432)
CN (813)
CO (293)
CR (938)
CU (196)
CV (37)
CW (264)
CX (866)
CY (38)
CZ (184)
DE (852)
DJ (788)
DK (70)
DM (108)
DO (251)
DZ (728)
EC (718)
EE (54)
EG (779)
EH (815)
ER (90)
ES (831)
ET (939)
FI (311)
FJ (258)
FK (508)
FM (285)
FO (993)
FR (981)
GA (199)
GB (311)
GD (705)
GE (429)
GF (816)
GG (52)
GH (104)
GI (568)
GL (95)
GM (58)
GN (727)
GP (358)
GQ (492)
GR (590)
GS (398)
GT (325)
GU (99)
GW (631)
GY (24)
HK (106)
HM (455)
HN (161)
HR (694)
HT (500)
HU (88)
ID (242)
IE (604)
IL (285)
IM (668)
IN (529)
IO (173)
IQ (776)
IR (514)
IS (492)
IT (752)
JE (473)
JM (951)
JO (28)
JP (513)
KE (4)
KG (303)
KH (565)
KI (37)
KM (299)
KN (561)
KP (874)
KR (851)
KW (853)
KY (843)
KZ (632)
LA (156)
LB (151)
LC (738)
LI (947)
LK (218)
LR (88)
LS (321)
LT (647)
LU (250)
LV (938)
LY (360)
MA (812)
MC (618)
MD (656)
ME (344)
MF (277)
MG (323)
MH (352)
MK (528)
ML (630)
MM (187)
MN (561)
MO (577)
MP (858)
MQ (357)
MR (20)
MS (899)
MT (764)
MU (550)
MV (311)
MW (66)
MX (62)
MY (686)
MZ (848)
NA (924)
NC (205)
NE (89)
NF (828)
NG (186)
NI (957)
NL (214)
NO (277)
NP (539)
NR (721)
NU (301)
NZ (499)
OM (745)
PA (748)
PE (591)
PF (512)
PG (983)
PH (570)
PK (824)
PL (163)
PM (644)
PN (359)
PR (446)
PS (307)
PT (976)
PW (457)
PY (502)
QA (323)
RE (578)
RO (662)
RS (99)
RU (858)
RW (785)
SA (447)
SB (360)
SC (323)
SD (428)
SE (131)
SG (498)
SH (634)
SI (224)
SJ (539)
SK (830)
SL (708)
SM (574)
SN (708)
SO (298)
SR (559)
SS (587)
ST (433)
SV (542)
SX (828)
SY (212)
SZ (38)
TC (798)
TD (909)
TF (98)
TG (409)
TH (394)
TJ (831)
TK (817)
TL (610)
TM (941)
TN (63)
TO (366)
TR (93)
TT (293)
TV (48)
TW (279)
TZ (830)
UA (372)
UG (159)
UM (515)
US (844)
UY (333)
UZ (522)
VA (266)
VC (350)
VE (602)
VG (377)
VI (536)
VN (564)
VU (517)
WF (240)
WS (589)
XK (120)
YE (875)
YT (871)
ZA (511)
ZM (935)
ZW (98)