This New “Underminer” Exploit Kit Is Delivering Up Malware To Asia

Malware researchers at Trend Micro just discovered a new exploit package they have dubbed “Underminer,” which delivers an infectious bootkit to a system’s boot sectors. They have also uncovered a cryptocurrency miner called “Hidden Millifera” as well.

A blog post authored by the Trend Micro Cyber Safety Solutions Team gives analytical details about the exploit. “We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads. Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera.”

The Underminer Exploit activity was first noticed on July 17 while it was distributing the payloads mainly to Asian countries, especially Japan (69,75%) and Taiwan (10,52%). The Trend Micro blog post says, “Underminer transfers malware via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). These make the exploit kits and its payload challenging to analyze. Underminer appears to have been created in November 2017. In this case, however, the exploits included ones known to compromise Flash vulnerabilities and deliver payloads filelessly until the malware is installed.”

The blog post further explains, “Underminer’s activity on July 17 revealed it is distributing its payloads mainly to Asian countries. Hidden Mellifera emerged in May and reportedly affected as many as 500,000 machines.”

Researchers suggest the bad authors of Hidden Mellifera were linked to Hidden Soul, the browser-hijacking Trojan first reported in August 2017. The fact that the Underminer exploit kit also pushed Hidden Mellifera suggests Underminer has been developed by the same group of cybercriminals. According to the blog, “Conversely, Underminer was delivered via an advertising server whose domain was registered using an email address used by Hidden Mellifera’s developers.”

The Trend Micro post also details the functionalities of the Underminer exploit kit. “Underminer is outfitted with functionalities also employed by other exploit kits: browser profiling and filtering, preventing of client revisits, URL randomization, and asymmetric encryption of payloads. Underminer’s landing page can profile and detect the user’s Adobe Flash Player version and browser type via user-agent. If the client’s profile does not match their target of interest, they will not deliver malicious content and redirect it to a normal website instead. Underminer also sets a token to the browser cookie; if the victim already accessed the exploit kit’s landing page, payloads are not pushed and instead delivers an HTTP 404 error message. This prevents Underminer from attacking the same victim and deters researchers from reproducing the attack by revisiting their malicious links. Underminer can also randomize the path in each URL they use in their attacks to evade detection from traditional antivirus (AV) solutions.”

In their post, the Trend Micro Cyber Safety Solutions Team explains in detail how the Underminer kit hides its exploits. Underminer exploits have many security flaws that are also used by other kits and threat actors. These include CVE-2015-5119, a use-after-free vulnerability in Adobe Flash Player patched in July 2015, CVE-2016-0189, a memory corruption vulnerability in Internet Explorer (IE) patched in May 2016 and CVE-2018-4878, a use-after-free vulnerability in Adobe Flash Player patched in February 2018.

The Trend Micro blog post says, “When exploiting these vulnerabilities, a malware loader is executed. Each has similar infection chains but differ in execution. When exploiting CVE-2016-0189, a scriptlet (.sct file) containing JScript code is executed via regsvr32.exe. The JScript code will drop a dynamic-link library (DLL) that will be executed with rundll32.exe, which loads and executes a second-stage downloader from the exploit kit. When exploiting the Flash vulnerabilities, Underminer will directly execute a shellcode to download an executable without the MZ header. This is akin to the first loader or DLL dropped from the scriptlet. The loader will retrieve the same second-stage downloader then inject it to a newly opened rundll32.exe process. The infection chain for the Flash exploits is actually fileless until the malware is installed in the system.”

TrendMicro has also published a technical brief which further explains how the bootkit and cryptocurrency-mining malware are delivered via an encrypted TCP tunnel by the second-stage downloader.

Mitigation Measures

Some best practices can be adopted as mitigation measures, including:

• Actively monitoring networks
• Patching systems and networks
• Keeping all systems and their applications updated
• Hardening security layers against malicious traffic using firewalls and  intrusion detection and prevention systems
• Restricting or disabling unnecessary or dated applications and components
• Employing security mechanisms like application control, behavior monitoring, and such for implementing in-depth defense
• Employing a multi-layered approach to cybersecurity