A new exploit kit dubbed Underminer has been discovered to spread through advertising servers delivering bootkits targeting system boot sectors to inject cryptocurrency, often called crypto mining malware.
Malware researchers have spotted a new exploit kit that ultimately infects the boot sectors of targeted victims’ PCs with a cryptocurrency miner dubbed Hidden Mellifera.
“We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads.” reads an excerpt from the analysis published by TrendMicro.
Specifically, the rootkit delivers a malware through an encrypted transmission control protocol (TCP) tunnel and includes malicious files with a format similar to ROM file system format, making it a difficult channel to analyze the exploit kit and its payload. This is not the first time when crypto mining malware is deployed to mind cryptocurrencies.
Initially discovered in July 2017, the exploit kit only contained code for Flash vulnerability exploits at the time and delivered fileless payloads to execute the malware.
The Underminer EK also includes functionalities used by other exploit kits, including:
- Browser filtering and filtering;
- URL randomization;
- Preventing of client revisits;
- Asymmetric encryption of payloads
The exploit kit also uses RSA encryption to safeguard the exploit code and prevent their traffic from being replayed. Underminer also generates a random key to send it to its command-and-control (C&C) server before exploiting the vulnerabilities.
TrendMicro researchers concluded:
Like other exploits before it, we expect Underminer to hone their techniques to further obfuscate the ways they deliver their malicious content and exploit more vulnerabilities while deterring security researchers from looking into their activities. And given the nature of their operations, we also expect them to diversify their payloads.
Image credit: LIFARS archive.