As part of the malware operation, referred to as GuptiMiner, the threat actor exploited a vulnerability in the eScan antivirus update mechanism and performed a man-in-the-middle (MitM) attack to replace the legitimate update package with a malicious one. eScan is a brand of India-based MicroWorld.
Once the antivirus unpacks and loads the malicious payload, a DLL is sideloaded to continue the infection chain, which involves multiple shellcodes and intermediary loaders. After being notified of the attacks last year, eScan told Avast that it had addressed the issue and hardened the update mechanism.
