About 10 years ago, the industry began to advocate that websites deploy HTTPS encrypted connections to prevent websites or services from being hijacked by man-in-the-middle attacks (MitM). For example, some network operators previously directly inserted pop-ups to display account balances and reminders when users access the website. Recharge, etc. are achieved through hijacking.
Bluepoint also deployed HTTPS connections about 10 years ago. At that time, there were no free HTTPS certificates, so you had to buy the certificate yourself. A one-year digital certificate cost hundreds of dollars, but after deploying HTTPS, it can Significantly reduces the probability of being hijacked.
Almost all websites and services now use encrypted protocol connections, but what is incomprehensible is that India’s local anti-virus software eScan has been using the HTTP clear text protocol to provide updates since 2019.
eScan uses HTTP plain text protocol to push software updates, and then hackers discovered the opportunity. The so-called most dangerous place is the safest place. Hackers use the update mechanism of the anti-virus software itself to drop viruses under the nose of an anti-virus software.
Back to July 2023:
Researchers from Czech antivirus software developer AVAST noticed a piece of malware called GuptaMiner by other researchers. The malware had an extremely complex attack link behind it and also targeted eScan’s HTTP plaintext protocol.
The complex attack link begins when eScan initiates an update. The hacker first performs a man-in-the-middle attack to intercept the request packet sent by eScan to the server, and then returns the malicious packet through the fake server. The returned packet is also provided by eScan. Updated, except that the GuptiMiner malware has been inserted into it.
When eScan received the returned data packet and performed the update, the malware was also quietly released and executed. Obviously, in addition to using the HTTP clear text protocol, eScan may not have signed or hashed the data packet (or it may have been returned The hash has been modified in the packet).
This antivirus software has been using the HTTP plaintext protocol to provide updates since at least 2019. Although it is impossible to prove when hackers took advantage, hijacking updates to infect devices should have been going on for several years.
Purpose of malware:
What’s funny is that this malware uses a complex attack chain to launch attacks, but the ultimate goal may be mining. At least AVAST noticed that in addition to installing multiple backdoors (which is a routine operation), GuptiMiner also released XMrig. This is An XMR Monero open source mining program that can use the CPU to perform mining.
As for other malicious purposes, they are relatively common. For example, if the infected device is located in a large corporate intranet, it will try to spread horizontally to infect more devices.
How to achieve hijacking:
AVAST doesn’t seem to understand this issue either, and researchers suspect that hackers compromised the target network through some means to route traffic to malicious servers.
AVAST research found that hackers abandoned the use of DNS technology last year and replaced it with an obfuscation technology called IP masking. They also installed custom ROOT TLS certificates on infected devices, so that they can issue arbitrary certificates to achieve various connections. All can be hijacked.
After AVAST disclosed the vulnerability to India’s CERT and eScan, the latter fixed the vulnerability on July 31, 2023, which was to switch to the HTTPS encryption protocol.
Copyright statement: Thank you for reading. This article is reprinted or compiled from Duck Brother Outside the MountainAVASTif you need to reprint this article, please contact the original author for authorization, thank you for your understanding.