On January 20, a supply chain attack has occurred, with the infected software being the eScan antivirus developed by an Indian company MicroWorld Technologies. The previously unknown malware was distributed through the eScan update server. The same day, our security solutions detected and prevented cyberattacks involving this malware. On January 21, having been informed by Morphisec, the developers of eScan contained the security incident related to the attack.
Malicious software used in the attack
Users of the eScan security product received a malicious Reload.exe file, which initiated a multi-stage infection chain. According to colleagues at Morphisec who were the first to investigate the attack, Reload.exe prevented further antivirus product updates by modifying the HOSTS file, thereby blocking the ability of security solution developers to automatically fix the problem, which, among other things, led to the update service error.
The malware also ensured its persistence in the system, communicated with control servers, and downloaded additional malicious payloads. Persistence was achieved by creating scheduled tasks; one example of such a malicious task is named CorelDefrag. Additionally, the consctlx.exe malicious file was written to the disk during the infection.
How the attackers managed to pull off this attack
At the request of the BleepingComputer information portal, eScan developers explained that the attackers managed to gain access to one of the regional update servers and deploy a malicious file, which was automatically delivered to customers. They emphasize that this is not a vulnerability — the incident is classified as unauthorized access to infrastructure. The malicious file was distributed with a fake invalid digital signature.
According to the developers, the infrastructure affected by the incident was quickly isolated, and all access credentials were reset.
How to stay safe?
To detect infection, it is recommended to review scheduled tasks for traces of malware, check the %WinDir%System32driversetchosts file for blocked eScan domains, and review the eScan update logs for January 20.
The developers of eScan have created a utility for their users that removes the malware, rolls back the modifications it has made, and restores the normal functionality of the antivirus. The utility is sent to customers upon request to technical support.
Users of the solution are also advised to block known malware control server addresses.
Kaspersky’s security solutions, such as Kaspersky Next, successfully detect all malware used by attackers with its Behavior Detection component.
Indicators of compromise
Several malicious domain names and links were listed in the Morphisec blog:
- https://vhs.delrosal[.]net/i
- https://tumama.hns[.]to
- https://blackice.sol-domain[.]org
- https://codegiant[.]io/dd/dd/dd.git/download/main/middleware.ts
Our experts have discovered additional network IoCs related to this attack:
- https://airanks.hns[.]to
- https://csc.biologii[.]net/sooc
Right now we are analyzing the malware used in this incident, and will post more details as soon as possible.
