Understanding the eScan supply chain attack: Essential insights for cybersecurity professionals

Supply Chain Attack Targets eScan Antivirus Software

A recent supply chain attack compromised the eScan antivirus software from MicroWorld Technologies, distributing malicious payloads through its update server. Discovered on January 20, this sophisticated attack was detected and mitigated shortly after.

The malware, delivered via a malicious file named Reload.exe, initiated a multi-stage infection process. This file altered system settings to prevent further updates from eScan, effectively blocking attempts to remove the malicious components. The attackers had infiltrated the update server, exploiting unauthorized access rather than specific vulnerabilities. The malware employed obfuscation techniques and used a fake digital signature to appear legitimate, complicating detection efforts. Affected users primarily reside in South Asia, especially in India, Bangladesh, Sri Lanka, and the Philippines.

During the attack’s execution, Reload.exe triggered further malicious downloads while establishing persistence through scheduled tasks. Subsequent payloads included functionalities to disable eScan’s update processes, bypass the Anti-Malware Scan Interface (AMSI), and assess whether the victim’s system had certain security solutions installed. If favorable, attackers installed additional malware to maintain access to the compromised machines.

Why this matters: This incident underscores the risks associated with supply chain vulnerabilities, particularly in trusted software like antivirus solutions. Security breaches at this level can lead to significant compromises, impacting countless end users and organizations.

To minimize risks, organizations should implement robust threat monitoring and response protocols, including reviewing scheduled tasks, verifying system hosts files, and analyzing update logs. Security solutions can enhance protection by proactively identifying and blocking known malicious indicators.

Indicators of Compromise (IOCs):

• Malicious Reload.exe Hash: 1617949c0c9daa2d2a5a80f1028aeb95ce1c0deea928bddfaa536c11c28c8d2c5d16e27cbeaf6357ebaf9715d7f34a77a6e1fd455fe0702274958e2096cdd8476faa7c6a7d2ad285658d3559855b168d
• Malicious CONSCTLX.exe Hash: 2d2d58700a40642e189f3f1ccea41337486947f5
• Network Indicators:
  • https://vhs.delrosal[.]net/i
  • https://tumama.hns[.]to
  • https://blackice.sol-domain[.]org
  • https://codegiant.io/dd/dd/dd.git/download/main/middleware[.]ts
  • https://csc.biologii[.]net/sooc
  • https://airanks.hns[.]to
• Scheduled Task Name: Microsoft\Windows\Defrag\CorelDefrag
• Registry Keys:
  • HKLM\Software\E9F9EEC3-86CA-4EBE-9AA4-1B55EE8D114E
  • HKLM\SOFTWARE\WOW6432Node\MicroWorld\eScan for Windows\ODS (Value set to WTBases_new: 999)

Click here for the full article