Keypoints
- GuptiMiner abused eScan’s update mechanism via a man-in-the-middle to deliver a malicious update package (malicious version.dll) that is DLL-sideloaded by eScan.
- The infection chain is multi-stage: sideloaded DLL → injected shellcode → embedded PE loader → PNG loader (payload in image) → Gzip loader → Puppeteer orchestrator → XMRig miner and backdoor(s).
- DNS TXT responses (from attacker-controlled DNS servers) provide encrypted URLs or keys; PNG images contain appended shellcode starting at offset 0x325 and are decrypted with RC2 using an MD5-derived key.
- Persistence and stealth use scheduled tasks, WMI event-triggered execution, storing encrypted payloads/images in Windows Registry, disabling Defender, and installing a custom root certificate to trust attacker-signed binaries.
- Two backdoor families were deployed: a PuTTY/plink-based backdoor for local SMB scanning and SMB tunneling (port 445) for lateral movement, and a modular backdoor injected into mmc.exe for large corporate networks (searching for private keys/wallets and loading modules from registry).
- Process injection and code execution techniques include Heaven’s Gate for x64 execution from 32-bit hosts, command-line manipulation, WriteProcessMemory/CreateRemoteThread injection (e.g., into credwiz.exe), and API import-by-hash in modular backdoor components.
- Authors evolved C2 techniques over time (DNS TXT → masked IP responses → direct IP + path with XOR de-masking) and implemented anti-VM / anti-debug checks (drivers, registry keys, process name prefixes).
MITRE Techniques
- [T1195] Supply Chain Compromise – GuptiMiner performed a MitM on eScan update downloads to replace legitimate update archives with a malicious package (‘actors behind GuptiMiner were performing man-in-the-middle (MitM) to download an infected installer…’).
- [T1574.001] DLL Side-Loading – The malicious package contains a version.dll which is sideloaded by eScan clean binaries (‘a malicious DLL (usually called version.dll) that is sideloaded by eScan’).
- [T1055] Process Injection – Shellcode injects stages into services.exe and Puppeteer injects XMRig into credwiz.exe using WriteProcessMemory/CreateRemoteThread (‘the malware searches for services.exe process and injects its next stage… injects XMRig into a credwiz.exe process’).
- [T1071.004] Application Layer Protocol: DNS – The PNG loader queries attacker-controlled DNS servers for TXT records to obtain encrypted C2 URLs/keys (‘sending a DNS request to the attacker’s malicious DNS server, obtaining the TXT record with the response’).
- [T1027] Obfuscated Files or Information – Payloads are hidden inside legitimate PNG images with appended shellcode starting at a fixed offset (‘PNG files are valid images … that contain appended shellcodes at their end’).
- [T1053.005] Scheduled Task – Persistence is implemented via scheduled tasks that run sideloading clean binaries which load malicious DLLs at boot with SYSTEM privileges (‘The scheduled task is created … Executes: C:ProgramDataBrotherBrmfl14cBrRemPnP.exe … TASK_TRIGGER_BOOT with SYSTEM privileges’).
- [T1546.002] Event Triggered Execution: WMI – WMI event subscriptions are used to trigger execution of dropper/loader binaries under certain timing conditions (‘WMI events are used for loading the first of the PNG loaders’).
- [T1112] Modify Registry – GuptiMiner stores encrypted payloads and images in various registry keys for persistence and staging (‘authors started to integrate even better persistence … storing the payloads in registry keys’).
- [T1553] Subvert Trust Controls – The malware installs a custom root certificate into Windows’ certificate store so attacker-signed binaries are trusted (‘adds a root certificate to Windows’ certificate store making this certification authority trusted’).
- [T1021.002] Remote Services: SMB/Windows Admin Shares – The PuTTY/plink backdoor performs SMB scanning and creates a tunnel to forward SMB traffic via port 445 for lateral movement (‘creates a tunnel on the port 445 between the attacker’s server gesucht.net and the victim’s device’ and performs local SMB scanning).
Indicators of Compromise
- [Domains] C2 / distribution – ext.peepzo[.]com, deanmiller[.]net, and many other attacker-controlled domains used for DNS TXT responses and PNG payload hosting (see full list in original report).
- [IP addresses] masked / C2 examples – 185.45.192[.]43 (used with path /elimp/ after de-masking), 185.248.160[.]141 (modular backdoor C2), and masked addresses like 179.38.204[.]38 referenced in de-masking logic.
- [File hashes] malicious components – c3122448ae3b21ac2431d8fd523451ff25de7f6e399ff013d6fa6953a7998fa3 (version.dll sample), 294b73d38b89ce66cfdefa04b1678edf1b74a9b7f50343d9036a5d549ade509a (later loader), and numerous other hashes cited in the IoC list.
- [File names / dropped files] sideloading / persistence – version.dll (sideloaded), updll3.dlz / updll3.dll3 / updll62.dlz (update archive and malicious DLL), atiadlxx.dll and BrLogAPI.dll (PNG loader DLL names used for sideloading).
- [Registry keys] persistence & storage – HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlNlsSortingIdsen-US (example storage key), HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlCMFClass and other SYSTEM… keys used to store payloads/images.
- [Certificates] signing artifacts – SHA1 529763AC53562BE3C1BB2C42BCAB51E3AD8F8A56 and 31070C2EA30E6B4E1C270DF94BE1036AE7F8616B referenced as stolen certificates used to sign payloads.
- [PDB paths] build artefacts – E:Projectsputty-srcwindowsVS2012x64Releaseplink.pdb, F:ProMainWorkReleaseMainWork.pdb found in various builds.
GuptiMiner’s technical infection procedure begins with intercepting eScan’s update download (unencrypted) and substituting a malicious update archive; the updater unpacks this archive and sideloads a malicious version.dll which retains original exports while adding loader functionality. That DLL performs process injection (services.exe), loads embedded plaintext shellcode/PE blobs, and uses Heaven’s Gate where needed to execute 64-bit code from a 32-bit host. The next-stage loader reaches out to attacker-controlled DNS servers to fetch base64/RC2-encrypted TXT records that contain MD5-derived keys and C2 URLs; those URLs serve PNG files that are valid images with encrypted shellcode appended at offset 0x325, which the PNG loader decrypts (RC2/MD5) and executes, then unpacks a Gzip-compressed stage into memory.
Persistence and stealth are achieved through a mix of scheduled tasks, WMI event-triggered execution, and registry-stored payloads/images (XOR or RC2-encrypted). During installation the malware may disable Defender, add a custom root certificate to Windows’ certificate store so attacker-signed DLLs appear trusted, and remove on-disk artifacts while keeping the active payload in memory until shutdown where files are restored for next boot. Anti-analysis checks (VM drivers, low RAM/CPU, debugger/process-name prefixes) and command-line/display obfuscation are used to hinder detection; mutex naming encodes shellcode versions to avoid re-running identical loaders.
At runtime the Puppeteer orchestrator deploys XMRig (JSON config embedded and dynamically patched) by creating suspended credwiz.exe and performing WriteProcessMemory/CreateRemoteThread injection, while also performing environment checks and dynamic pool selection. For targeted networks it deploys two backdoors: a custom plink-based tool that scans SMB ranges and creates a port-445 tunnel to forward SMB traffic for lateral movement, and a modular shellcode backdoor injected (e.g., into mmc.exe) that enumerates drives for .pvk/.wallet files, stores module blobs encrypted in the registry, and communicates with a dedicated HTTPS C2 (e.g., www.righttrak[.]net:443 / 185.248.160[.]141) to load additional modules. Detection and remediation should focus on the listed domains, hashes, scheduled tasks, registry locations, signed binaries/certificates, and injected processes described above.