Bypass Record

DLL Side-Loading × eScan antivirus

A publicly-reported instance of DLL Side-Loading bypassing eScan antivirus, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

eScan antivirus

Technique

DLL Side-Loading

MITRE ATT&CK

T1574.002

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2024-04-23

Config / version noted

Not stated

Provenance

arstechnica.com
disclosed 2024-04-23 · original source · via raw

Reported as

eScan delivered updates over unencrypted HTTP without digital signature verification, allowing MitM to replace updates with malware

Mechanism

eScan delivered updates over unencrypted HTTP without digital signature verification. Attackers intercepted update requests via MitM, replacing the update package with a malicious one that used DLL hijacking to load GuptiMiner. The infection chain also employed a custom DNS server for C2 communication and later IP address masking.

Detection & mitigation

Monitor for eScan processes loading unexpected DLLs from non-standard paths, especially those with network connections to suspicious domains. Ensure update traffic uses HTTPS and verify digital signatures on update binaries. Deploy endpoint detection rules for known GuptiMiner indicators (hashes, C2 IPs/domains).

DLL Side-Loading has also been recorded against

ESET McAfee Microsoft SentinelOne Xcitium Zabbix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.