ON 20 January, a supply chain attack hit the eScan antivirus from Indian firm MicroWorld Technologies, with the infected software delivered via the eScan update server. Users received a malicious Reload[.]exe that initiated a multi-stage infection chain, and the malware gained persistence by creating scheduled tasks such as one named CorelDefrag, while another file, consctlx[.]exe, was written to disk.
According to Morphisec, the attackers gained access to a regional update server and deployed a malicious file that was automatically distributed to customers; the incident is described as unauthorized access to infrastructure, not a vulnerability, and the malicious file carried a fake invalid digital signature. By 21 January, after being informed by Morphisec, the eScan developers had contained the security incident and reset all access credentials.
To help detect infection, Securelist advises checking scheduled tasks, inspecting the hosts file under %WinDir%\System32\drivers\etc\hosts for blocked eScan domains, and reviewing update logs for 20 January, with a removal utility and rollback tools made available by eScan’s technical support.