On January 20 a supply-chain compromise of MicroWorld’s eScan update server distributed a malicious Reload.exe to customers, prompting Kaspersky to detect and block related attacks while eScan contained the incident after Morphisec notified them the next day. Reload.exe modified the HOSTS file to block antivirus updates, established persistence via scheduled tasks (example: CorelDefrag), wrote consctlx.exe to disk, and communicated with attacker control servers to download additional payloads. #eScan #Reload.exe
Keypoints
- Supply-chain attack on January 20 delivered a malicious Reload.exe via an eScan regional update server to customers.
- Reload.exe modified the HOSTS file to block antivirus product updates, causing update service errors and hindering remediation.
- Malware ensured persistence by creating scheduled tasks (example: CorelDefrag) and dropped consctlx.exe to disk.
- The malware communicated with attacker control servers and downloaded additional malicious payloads from multiple domains.
- Attackers gained unauthorized access to a regional update server and distributed the file with a fake/invalid digital signature; affected infrastructure was isolated and credentials reset.
- Morphisec first investigated, eScan provided a removal utility to customers, and Kaspersky’s Behavior Detection successfully detects the malicious artifacts.
MITRE Techniques
- [T1053 ] Scheduled Task/Job – Persistence via creation of scheduled tasks; one example named CorelDefrag (‘Persistence was achieved by creating scheduled tasks; one example of such a malicious task is named CorelDefrag.’)
- [T1562 ] Impair Defenses – Modified the HOSTS file to block antivirus product updates and prevent automatic remediation (‘Reload.exe prevented further antivirus product updates by modifying the HOSTS file, thereby blocking the ability of security solution developers to automatically fix the problem, which, among other things, led to the update service error.’)
- [T1071.001 ] Application Layer Protocol: Web Protocols – Command-and-control communications and payload download over web/HTTP(S) endpoints (‘The malware also ensured its persistence in the system, communicated with control servers, and downloaded additional malicious payloads.’)
- [T1105 ] Ingress Tool Transfer – Additional malicious payloads were downloaded and files were written to disk (for example, ‘the consctlx.exe malicious file was written to the disk during the infection’ and payloads were fetched from remote URLs).
- [T1553.002 ] Subvert Trust Controls: Code Signing – Distribution of the malicious file used a fake/invalid digital signature to appear legitimate (‘The malicious file was distributed with a fake invalid digital signature.’)
Indicators of Compromise
- [Domains/URLs ] Malicious control and payload hosting endpoints – vhs.delrosal[.]net/i, tumama.hns[.]to, and 4 more domains.
- [Domains/URLs ] Additional observed endpoints – airanks.hns[.]to, csc.biologii[.]net/sooc.
- [File names ] Malicious binaries and artifacts – Reload.exe (delivered via eScan update), consctlx.exe (dropped to disk).
- [Scheduled Task names ] Persistence artifact – CorelDefrag (example of a malicious scheduled task created by the malware).
Read more: https://securelist.com/escan-supply-chain-attack/118688/