Underminer EK

Security researchers have discovered a new exploit kit, currently active mainly in Asian countries, which, they say, has been busy spreading bootkits and cryptocurrency-mining (coinminer) malware.

This new exploit kit (EK) has been named Underminer in a report published yesterday by security firm Trend Micro. The company says it discovered the first clues of its existence last week, around July 17.

But fellow security firm Malwarebytes, which released an adjacent report that focused mainly on the coinminer malware spread by Underminer, says it tracked down earlier signs of this EK's activity dating back to late 2017 when it was first mentioned by Chinese security firm Qihoo 360.

The EK appears to have spent quite a few months operating at a smaller scale before expanding its activity to other countries.

According to Trend Micro, most of the web traffic flowing into Underminer is from Japan (70%), while the rest comes from Taiwan (10%), South Korea (6%), and other countries with smaller percentages.

EK uses a small number of exploits

At the technical level, the exploit kit is still small in terms of the number of exploits it deploys to infect users with malware. Researchers have spotted only three. They are:

CVE-2015-5119 —a use-after-free vulnerability in Adobe Flash Player patched in July 2015
CVE-2016-0189 —a memory corruption vulnerability in Internet Explorer (IE) patched in May 2016
CVE-2018-4878 —a use-after-free vulnerability in Adobe Flash Player patched in February 2018

None is specific to Underminer, and all have been used by other EKs in the past, suggesting the EK authors have built their operation by copying the ones before it.

Underminer has been deploying Hidden Bee malware

As for the malware delivery mechanism used in recent campaigns, the EK has been seen using encrypted TCP tunnels to deploy a bootkit first —for OS persistence— and then a coinminer.

Trend Micro calls this coinminer "Hidden Mellifera," while Malwarebytes refers to it as "Hidden Bee," the same name it received in the Chinese infosec community last year, when it was first spotted and analyzed [1, 2].

Exploit kits have been on a downward trend in the past two-three years, and usually keeping an up-to-date browser and OS is enough to safeguard users from getting infected.

A few new exploits pop up on the market once in a while, but all are short-lived, as they have a hard time keeping their operation at profitable levels, mainly because modern browsers are harder and harder to hack, while Flash usage has gone down in recent years [1, 2].

Underminer modus operandi

Related Articles:

HookAds Malvertising Installing Malware via the Fallout Exploit Kit

Linux CryptoMiners Are Now Using Rootkits to Stay Hidden

Exposed Docker APIs Continue to Be Used for Cryptojacking

CoinMiners Use New Tricks to Impersonate Adobe Flash Installers

Fallout Exploit Kit Now Installing the Kraken Cryptor Ransomware