← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining
WHITE Kimsuky AlienVault 2024-04-24 Modified: 2024-05-24
90
IOCs
HIGH VOLUME
Avast discovered and analyzed a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers. The campaign was orchestrated by a threat actor with possible ties to Kimsuky, a North Korean APT group. Two different types of backdoors were found, targeting large corporate networks. One provided SMB scanning and lateral movement, while the other was modular, accepting commands to install additional modules and scanning for private keys and cryptocurrency wallets. Interestingly, the final payload was also XMRig, a coinminer, which is unexpected for such a sophisticated operation.
backdoorcoinminerxmrigGuptiMiner
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
XMRig
Indicators of Compromise (90)
All hostname CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
hostname update3.mwti.net 2024-04-24
CVE CVE-2024-21338 2024-04-24
FileHash-MD5 2c143271dc4e8da1d3f94bb15df49ab3 2024-04-24
FileHash-MD5 74c285f86406dfa87673a95a41900dc3 2024-04-24
FileHash-SHA1 31070c2ea30e6b4e1c270df94be1036ae7f8616b 2024-04-24
FileHash-SHA1 4bd7f794815a61b57a33d71ca745e9221d65f7a4 2024-04-24
FileHash-SHA1 529763ac53562be3c1bb2c42bcab51e3ad8f8a56 2024-04-24
FileHash-SHA1 f437544e14ac6389806fdee8a4ea335b3d7dfe2f 2024-04-24
FileHash-SHA256 07beca60c0a50520b8dbc0b8cc2d56614dd48fef0466f846a0a03afbfc42349d 2024-04-24
FileHash-SHA256 1c31d06cbdf961867ec788288b74bee0db7f07a75ae06d45d30355c0bc7b09fe 2024-04-24
FileHash-SHA256 1fbc562b08637a111464ba182cd22b1286a185f7cfba143505b99b07313c97a4 2024-04-24
FileHash-SHA256 294b73d38b89ce66cfdefa04b1678edf1b74a9b7f50343d9036a5d549ade509a 2024-04-24
FileHash-SHA256 31dfba1b102bbf4092b25e63aae0f27386c480c10191c96c04295cb284f20878 2024-04-24
FileHash-SHA256 3515113e7127dc41fb34c447f35c143f1b33fd70913034742e44ee7a9dc5cc4c 2024-04-24
FileHash-SHA256 357009a70daacfc3379560286a134b89e1874ab930d84edb2d3ba418f7ad6a0b 2024-04-24
FileHash-SHA256 364984e8d62eb42fd880755a296bd4a93cc071b9705c1f1b43e4c19dd84adc65 2024-04-24
FileHash-SHA256 487624b44b43dacb45fd93d03e25c9f6d919eaa6f01e365bb71897a385919ddd 2024-04-24
FileHash-SHA256 4dfd082eee771b7801b2ddcea9680457f76d4888c64bb0b45d4ea616f0a47f21 2024-04-24
FileHash-SHA256 6305d66aac77098107e3aa6d85af1c2e3fc2bb1f639e4a9da619c8409104c414 2024-04-24
FileHash-SHA256 74d7f1af69fb706e87ff0116b8e4fa3a9b87275505e2ee7a32a8628a2d066549 2024-04-24
FileHash-SHA256 7a1554fe1c504786402d97edecc10c3aa12bd6b7b7b101cfc7a009ae88dd99c6 2024-04-24
FileHash-SHA256 7f1221c613b9de2da62da613b8b7c9afde2ea026fe6b88198a65c9485ded7b3d 2024-04-24
FileHash-SHA256 8446d4fc1310b31238f9a610cd25ea832925a25e758b9a41eea66f998163bb34 2024-04-24
FileHash-SHA256 8e96d15864ec0cc6d3976d87e9e76e6eeccc23c551b22dcfacb60232773ec049 2024-04-24
FileHash-SHA256 af9f1331ac671d241bf62240aa52389059b4071a0635cb9cb58fa78ab942a33b 2024-04-24
FileHash-SHA256 b0f94d84888dffacbc10bd7f9983b2d681b55d7e932c2d952d47ee606058df54 2024-04-24
FileHash-SHA256 c3122448ae3b21ac2431d8fd523451ff25de7f6e399ff013d6fa6953a7998fa3 2024-04-24
FileHash-SHA256 d5bc6cf988c6d3c60e71195d8a5c2f7525f633bb54059688ad8cfa1d4b72aa6c 2024-04-24
FileHash-SHA256 dddc57299857e6ecb2b80cbab2ae6f1978e89c4bfe664c7607129b0fc8db8b1f 2024-04-24
FileHash-SHA256 de48abe380bd84b5dc940743ad6727d0372f602a8871a4a0ae2a53b15e1b1739 2024-04-24
FileHash-SHA256 e0dd8af1b70f47374b0714e3b368e20dbcfa45c6fe8f4a2e72314f4cd3ef16ee 2024-04-24
FileHash-SHA256 f0ccfcb5d49d08e9e66b67bb3fedc476fdf5476a432306e78ddaaba4f8e3bbc4 2024-04-24
FileHash-SHA256 f656a418fca7c4275f2441840faaeb70947e4f39d3826d6d2e50a3e7b8120e4e 2024-04-24
FileHash-SHA256 ff884d4c01fccf08a916f1e7168080a2d740a62a774f18e64f377d23923b0297 2024-04-24
URL http://185.45.192.43/elimp/ 2024-04-24
URL http://dl.sneakerhost.com/u 2024-04-24
URL http://update3.mwti.net/pub/update/updll3.dlz 2024-04-24
URL http://www.deanmiller.net/m/ 2024-04-24
URL http://www.righttrak.net:443 2024-04-24
URL https://m.airequipment.net/gpse/ 2024-04-24
domain acmeautoleasing.net 2024-04-24
domain breedbackfp.com 2024-04-24
domain desmoinesreg.com 2024-04-24
domain edgesync.net 2024-04-24
domain espcomp.net 2024-04-24
domain gesucht.net 2024-04-24
domain gpon.inc 2024-04-24
domain icamper.net 2024-04-24
domain widgeonhill.com 2024-04-24
hostname b.guterman.net 2024-04-24
hostname crl.peepzo.com 2024-04-24
hostname crl.sneakerhost.com 2024-04-24
hostname dl.sneakerhost.com 2024-04-24
hostname ext.peepzo.com 2024-04-24
hostname ext.sneakerhost.com 2024-04-24
hostname m.airequipment.net 2024-04-24
hostname m.cbacontrols.com 2024-04-24
hostname m.gosoengine.com 2024-04-24
hostname m.guterman.net 2024-04-24
hostname m.indpendant.com 2024-04-24
hostname m.insomniaccinema.com 2024-04-24
hostname m.korkyt.net 2024-04-24
hostname m.satchmos.net 2024-04-24
hostname m.sifraco.com 2024-04-24
hostname ns.bretzger.net 2024-04-24
hostname ns.deannacraite.com 2024-04-24
hostname ns.desmoinesreg.com 2024-04-24
hostname ns.dreamsoles.com 2024-04-24
hostname ns.editaccess.com 2024-04-24
hostname ns.encontacto.net 2024-04-24
hostname ns.gravelmart.net 2024-04-24
hostname ns.gridsense.net 2024-04-24
hostname ns.jetmediauk.com 2024-04-24
hostname ns.kbdn.net 2024-04-24
hostname ns.lesagencestv.net 2024-04-24
hostname ns.penawarkanser.net 2024-04-24
hostname ns.srnmicro.net 2024-04-24
hostname ns.suechilton.com 2024-04-24
hostname ns.trafomo.com 2024-04-24
hostname ns1.earthscienceclass.com 2024-04-24
hostname ns1.peepzo.com 2024-04-24
hostname ns1.securtelecom.com 2024-04-24
hostname ns1.sneakerhost.com 2024-04-24
hostname p.bramco.net 2024-04-24
hostname r.sifraco.com 2024-04-24
hostname www.bascap.net 2024-04-24
hostname www.deanmiller.net 2024-04-24
hostname www.elimpacific.net 2024-04-24
hostname www.espcomp.net 2024-04-24
hostname www.righttrak.net 2024-04-24
References (1)
↗ https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining