New Underminer exploit kit installs bootkits and coin miners

News by Rene Millman

A new exploit kit has been discovered affecting systems in Asian countries that is installing bootkits and cryptocurrency miners.

A new exploit kit has been discovered affecting systems in Asian countries that is installing bootkits and cryptocurrency miners.

Dubbed Underminer by security researchers at Trend Micro, the malware was first picked up on 17 July. In a blog post, the researchers said that the exploit kit transfers malware via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customised format similar to ROM file system format (romfs).

"These make the exploit kits and its payload challenging to analyse," said researchers.

However, the exploit kit only uses three exploits to infect users. CVE-2015-5119, a use-after-free vulnerability in Adobe Flash Player patched in July 2015, CVE-2016-0189, a memory corruption vulnerability in Internet Explorer (IE) patched in May 2016, and CVE-2018-4878, a use-after-free vulnerability in Adobe Flash Player patched in February 2018.

"When exploiting these vulnerabilities, a malware loader is executed," said researchers.

According to researchers, Underminer is outfitted with functionalities also employed by other exploit kits: browser profiling and filtering, preventing of client revisits, URL randomisation, and asymmetric encryption of payloads.

"Underminer’s landing page can profile and detect the user’s Adobe Flash Player version and browser type via user-agent. If the client’s profile does not match their target of interest, they will not deliver malicious content and redirect it to a normal website instead," said researchers.

The malware also sets a token to the browser cookie; if the victim already accessed the exploit kit’s landing page, payloads are not pushed and instead delivers an HTTP 404 error message.

"His prevents Underminer from attacking the same victim and deters researchers from reproducing the attack by revisiting their malicious links. Underminer can also randomise the path in each URL they use in their attacks to evade detection from traditional antivirus (AV) solutions," said researchers.

The malware also installs a coin miner called "Hidden Mellifera" and so far, has infected half a million machines, mostly in Asian countries.

Researchers said that they expected the people behind Underminer to hone their techniques to further obfuscate the ways they deliver their malicious content and exploit more vulnerabilities while deterring security researchers from looking into their activities.

"Exploit kits may be taking a backseat for now, but Underminer shows that they are still relevant threats. They underscore the real-life significance — and to many businesses, a perennial challenge— of patching," they said.

Nicholas Griffin, senior cyber security specialist at Performanta, told SC Media UK that while Underminer’s bootkit feature is interesting, it’s not the scariest part, and defending against it can be as simple as installing a free tool like Cisco’s MBR Filter.

"Many exploit kits have been looking to fill the gap left behind by Angler EK, and Underminer could be the strongest candidate yet. It is a well-thought-out kit that implements many Angler-like features," he said.

"Thankfully, modern browsers are far more naturally resilient to these types of attacks than a few years ago, but if your organisation is still using Internet Explorer then you are unnecessarily exposing yourself to these threats. Strong protections against web-based exploit kits include web security gateway solutions, and EDR technologies that can automatically detect and prevent unusual browser behaviour."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews