VERY IMPORTANT

Avast discovered and analyzed a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers. The campaign was orchestrated by a threat actor with possible ties to Kimsuky, a North Korean APT group. Two different types of backdoors were found, targeting large corporate networks. One provided SMB scanning and lateral movement, while the other was modular, accepting commands to install additional modules and scanning for private keys and cryptocurrency wallets. Interestingly, the final payload was also XMRig, a coinminer, which is unexpected for such a sophisticated operation.