Executive Summary

CVE-2024-13990 is a critical vulnerability in the update mechanism of MicroWorld eScan Antivirus. The update process failed to ensure the authenticity and integrity of update packages, lacking robust cryptographic verification and HTTPS protection. This allowed an attacker performing a man-in-the-middle (MitM) attack to intercept and replace legitimate update files with malicious ones. The eScan client would accept and execute these malicious updates, including sideloaded DLLs and installer payloads, enabling remote code execution on affected systems. The vulnerability was exploited by a sophisticated malware campaign named GuptiMiner, which deployed backdoors and cryptocurrency miners through this attack vector. The issue was fixed by eScan on July 31, 2023, after being active since at least 2018. [2, 4, 5, 6, 7]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including remote code execution on affected systems without requiring any privileges or user interaction. Attackers can replace legitimate antivirus updates with malicious payloads that install backdoors, allowing persistent unauthorized access, lateral movement within networks, and theft of sensitive data such as private keys and cryptocurrency wallets. Additionally, the malware campaign deployed cryptocurrency miners (XMRig), which consume system resources and may serve as a distraction from more damaging espionage activities. The infection chain involves advanced evasion techniques, making detection and remediation challenging. Organizations using vulnerable versions of eScan antivirus are at risk of compromise, especially large corporate networks. [3, 4, 5, 6, 7]

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying signs of the GuptiMiner malware infection and suspicious activity related to eScan antivirus update processes. Indicators include presence of malicious DLLs such as 'version.dll' or 'updll62.dlz' loaded by eScan binaries, unusual network DNS queries to attacker-controlled DNS servers, and execution of shellcode from PNG files. Detection can also focus on monitoring for the creation of mutexes like 'Mutex_ONLY_ME_V1', injection into services.exe process, and presence of backdoors or cryptocurrency mining activity (XMRig). Since the malware uses custom DNS servers and unusual DNS TXT record queries, network monitoring tools can be used to detect anomalous DNS traffic. Additionally, running reputable antivirus or endpoint detection and response (EDR) tools updated with signatures for GuptiMiner can help detect infections. Specific commands are not detailed in the resources, but general approaches include scanning for suspicious DLLs in eScan directories, monitoring network DNS requests, and checking running processes for injected code or known malware components. [3, 4, 5, 6, 7]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1) Updating eScan antivirus to the latest version released after July 31, 2023, which contains the fixed update mechanism with HTTPS and cryptographic verification; 2) Ensuring that updates are only obtained from the official eScan AV update site and discontinuing use of partner CDNs or unofficial sources; 3) Shifting update mechanisms to HTTPS-based downloads to prevent MitM attacks; 4) Running comprehensive scans with updated antivirus solutions capable of detecting and removing GuptiMiner and related malware; 5) Monitoring and blocking suspicious network traffic, especially DNS queries to unknown or attacker-controlled servers; 6) Applying general endpoint security best practices such as disabling legacy or vulnerable Windows versions targeted by the malware (e.g., Windows 7, Windows Server 2008) and ensuring system patches are current. eScan has also sinkholed the update server and implemented stringent security controls since 2019, so following vendor guidance and maintaining updated security infrastructure is critical. [1, 2, 3, 4, 5, 6, 7]

Useful 0 Not Useful 0