Summary
Key Points:
- A supply chain attack on eScan antivirus was detected on January 20, where malware was distributed through the eScan update server, affecting users with a malicious file named Reload.exe.
- The malware modified the HOSTS file to block further updates from the antivirus, ensuring persistence through scheduled tasks and downloading additional payloads.
- Users are advised to review scheduled tasks, check the HOSTS file for blocked domains, and utilize a utility provided by eScan to remove the malware and restore functionality.
Technical Details: The attack involved unauthorized access to an update server, distributing a malicious file with a fake digital signature. The malware created scheduled tasks for persistence and communicated with control servers.
MITRE ATT&CK Techniques:
- T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
- T1543.003 - Create or Modify System Process: Windows Service (Persistence)
- T1053.005 - Scheduled Task/Job: Scheduled Task (Persistence)
IOCs Mentioned:
- https://vhs.delrosal[.]net/i
- https://tumama.hns[.]to
- https://blackice.sol-domain[.]org
- https://codegiant[.]io/dd/dd/dd.git/download/main/middleware.ts
- https://airanks.hns[.]to
- https://csc.biologii[.]net/sooc
Join the discussion — sign up to comment, upvote, and save articles.