eScan Antivirus Update Server Compromised in Supply Chain Attack, Malware Distributed to Users

On January 20, a supply chain compromise was identified involving the eScan antivirus product developed by MicroWorld Technologies. A previously unknown malware was distributed to customers through a compromised eScan regional update server. The same day, our security solutions detected and blocked multiple attack attempts leveraging this malicious update.

On January 21, following notification from Morphisec, eScan developers successfully contained the incident by isolating the affected infrastructure and revoking exposed credentials.

Initial Infection Vector

The attack was executed through the distribution of a malicious Reload.exe file, delivered as part of a legitimate eScan update. This file replaced the genuine component located at: C:\Program Files (x86)\eScan\reload.exe

The malicious executable was digitally signed with a fake and invalid certificate
(Certificate serial number: 68525dadf70c773d41609ff7ca499fb5).

Telemetry indicates that hundreds of machines—belonging to both individual users and organizations—were targeted, with the majority of affected systems located in India, Bangladesh, Sri Lanka, and the Philippines.

Malware Behavior and Infection Chain

The compromised Reload.exe file initiated a multi-stage infection chain:

It verified execution from the Program Files directory and terminated otherwise.
It initialized the Common Language Runtime (CLR) and loaded a .NET payload in memory
(SHA-1: eec1a5e3bb415d12302e087a24c3f4051fca040e).
The payload was based on a modified version of UnmanagedPowerShell, enhanced with an AMSI bypass, allowing malicious PowerShell execution inside the process.

The embedded PowerShell script executed three Base64-encoded payloads, each responsible for a distinct stage of the attack.

Payload 1: eScan Tampering

The first payload focused on disabling and weakening the eScan antivirus to prevent detection and recovery. Key actions included:

Deleting multiple eScan components, including: C:\Program Files (x86)\Common Files\MicroWorld\WGWIN\tvqsapp.exe
Creating ZIP backups of deleted files in: C:\ProgramData\esfsbk
Adding critical system directories (C:\Windows, C:\Program Files, C:\Program Files (x86)) to antivirus exclusions.
Blocking eScan update servers (e.g., update1.mwti.net) via the HOSTS file, redirecting them to 2.3.4.0.
Manipulating antivirus database registry values, such as setting WTBases_new to 999.

During execution, a debug log was written to: C:\ProgramData\euapp.log

Although eScan’s self-defense mechanisms prevented some actions (notably HOSTS file modification), the update process became nonfunctional, displaying misleading success messages while failing to download updates.

Finally, this payload replaced CONSCTLX.exe with a persistent malicious component.

Payload 2: AMSI Bypass

The second payload implemented a direct AMSI bypass, locating the AmsiScanBuffer function in memory and patching it to always return an error. This effectively disabled script scanning for subsequent PowerShell execution.

Payload 3: Victim Validation and Persistence

The third payload performed environment validation before proceeding further:

Enumerated installed software, services, and running processes.
Compared results against a blocklist of security and analysis tools.
Systems running **Kaspersky products were explicitly excluded from further infection.

If validation succeeded, the payload established persistence by:

Storing an encoded payload in the registry: HKLM\Software\E9F9EEC3-86CA-4EBE-9AA4-1B55EE8D114E (value: Corel)
Creating a scheduled task: Microsoft\Windows\Defrag\CorelDefrag This task executed a PowerShell script daily at a random time, decoding and running the stored payload.

A heartbeat request was then sent to attacker-controlled infrastructure to signal successful deployment.

Persistent Components

The infection resulted in two independent persistence mechanisms:

Malicious CONSCTLX.exe
- Executed by legitimate eScan components.
- Loaded CLR and executed PowerShell internally.
- Updated Eupdate.ini to falsify the last update timestamp, hiding the update failure from users.
- Retrieved fallback shellcode payloads from C2 servers if needed.
PowerShell-based Payload
- Re-applied AMSI bypass and victim validation.
- Communicated system information to C2 servers using RC4-encrypted cookies.
- Allowed attackers to deliver additional PowerShell scripts on demand.

These redundant mechanisms ensured resilience even if one persistence vector was removed.

Command-and-Control Infrastructure

The malware communicated with the following attacker-controlled endpoints:

vhs.delrosal[.]net
tumama.hns[.]to
blackice.sol-domain[.]org
codegiant.io
csc.biologii[.]net
airanks.hns[.]to

Responses were either ignored (heartbeat) or used to deliver encrypted shellcode or scripts.

Attack Assessment

Supply chain attacks delivered through security software updates are exceptionally rare. This incident required attackers to:

Gain unauthorized access to eScan update infrastructure.
Reverse-engineer internal update mechanisms.
Develop tailored implants that blend into legitimate antivirus workflows.

Despite the sophistication, the attackers relied on user-mode techniques (PowerShell, scheduled tasks), which significantly improved detectability and limited the overall impact.

Mitigation and Detection Guidance

Users are advised to:

Review scheduled tasks for CorelDefrag.
Inspect the HOSTS file for blocked eScan update domains.
Check eScan update logs from January 20.
Search for indicators such as:
- C:\ProgramData\euapp.log
- Registry key E9F9EEC3-86CA-4EBE-9AA4-1B55EE8D114E

MicroWorld has released a cleanup and recovery utility, available through eScan technical support, which removes the malware and restores normal antivirus functionality.

Detection Coverage

Kaspersky security solutions, including Kaspersky Next, successfully detect all known components of this attack using Behavior Detection.