On 2023-01-20, MicroWorld Technologies, the developer of eScan antivirus, experienced a security breach when an unknown threat actor compromised its software update infrastructure. The breach resulted in malware being deployed to customer systems.
Malware Deployment Details
The attack involved a backdoor hidden in the file Reload.exe, which altered eScan's configuration to prevent future updates. This backdoor also created a scheduled task to ensure persistence and communicated with a command-and-control server to download a specialized malware downloader.
Response and Attribution
eScan reported that only one regional update server was affected by the breach. The server was promptly taken offline and fixed. Despite the severity of the incident, neither eScan nor cybersecurity firm Morphisec have attributed the attack to any specific threat actor.
Previous Incidents
In 2024, Avast reported that North Korean-linked actors, identified as Kimsuky, exploited the same eScan update mechanism to deploy backdoors and a cryptominer. This highlights ongoing vulnerabilities in software update infrastructures.
