HACKERS compromised MicroWorld Technologies’ update server and fed a malicious file to eScan customers, in a supply-chain style attack that Morphisec first highlighted on January 29. According to Morphisec’s bulletin, the updates were designed to deploy multi-stage malware to enterprise and consumer endpoints globally, and the malicious changes blocked automatic updates by modifying the HOSTS file and establishing persistence via scheduled tasks.
The compromised file, Reload[.]exe, kicked off the infection chain and delivered additional payloads, with eScan later releasing a utility to help clean the infection and restore normal function. Morphisec said it notified MicroWorld on January 21, one day after detecting malicious activity, and eScan reported unauthorized access to an update server on January 20, isolating the affected servers for over eight hours.
The advisory cited by eScan describes the incident as impacting a regional update server and notes medium-high impact for enterprise customers, while eScan has questioned Morphisec’s assessment and is pursuing the matter with legal counsel.