by Jaromir Horejsi and Joseph C. Chen We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads. Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera. Underminer transfers malware via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). These make the exploit kits and its payload challenging to analyze. Underminer appears to be an exploit kit that was created in November 2017. In this case, however, the exploits used included ones that exploited Flash vulnerabilities and delivered the payloads filelessly until the malware is installed. Underminer’s activity in July 17 revealed it is distributing its payloads mainly to Asian countries. Hidden Mellifera emerged in May, and reportedly affected as much as 500,000 machines. Hidden Mellifera’s authors were also linked to the browser-hijacking trojan Hidden Soul reported in August 2017. This correlation indicates that Underminer was developed by the same cybercriminals, as Underminer also pushed Hidden Mellifera. Conversely, Underminer was delivered via an advertising server whose domain was registered using an email address used by Hidden Mellifera’s developers.
Figure 1. Country distribution of Underminer’s activities, from July 17 to July 23Underminer’s capabilities Underminer is outfitted with functionalities also employed by other exploit kits: browser profiling and filtering, preventing of client revisits, URL randomization, and asymmetric encryption of payloads. Underminer’s landing page can profile and detect the user's Adobe Flash Player version and browser type via user-agent. If the client’s profile does not match their target of interest, they will not deliver malicious content and redirect it to a normal website instead. Underminer also sets a token to the browser cookie; if the victim already accessed the exploit kit’s landing page, payloads are not pushed and instead delivers an HTTP 404 error message. This prevents Underminer from attacking the same victim and deters researchers from reproducing the attack by revisiting their malicious links. Underminer can also randomize the path in each URL they use in their attacks to evade detection from traditional antivirus (AV) solutions. Angler, Nuclear, and Astrum, but those use the Diffie-Hellman algorithm. exploit kits and threat actors also use:
- CVE-2015-5119, a use-after-free vulnerability in Adobe Flash Player patched in July 2015.
- CVE-2016-0189, a memory corruption vulnerability in Internet Explorer (IE) patched in May 2016.
- CVE-2018-4878, a use-after-free vulnerability in Adobe Flash Player patched in February 2018.
- Keep systems and their applications updated, and consider virtual patching especially to legacy systems and networks.
- Actively monitor the network; firewalls and employ intrusion detection and prevention systems provide layers of security against malicious traffic.
- Enforce the principle of least privilege: restrict or disable unnecessary or dated applications and components that can be used as entry points.
- Implement defense in depth by employing security mechanisms such as application control and behavior monitoring to prevent unauthorized or malicious applications or processes from executing.