Tuesday, April 16, 2024

Dangerous Underminer Exploit Kit Delivers a Cryptocurrency-mining Malware and Bootkit

By Guru baran

A new exploit kit dubbed Underminer spreading through advertising servers that delivers bootkit which affects system boot sectors and the cryptocurrency-mining malware called Hidden Mellifera.

Underminer manages to secure the malware transfers through encrypted transmission control protocol (TCP) and it packs malware as read-only filesystem ROM files.

Security researchers from Trend Micro detected the Underminer’s activity on July 17 at it is primarily targeting Asian countries. The encryption tunnel and dumb file format make payload challenging to analyze for researchers.

Underminer

The exploit appeared to be created in November 2017 and it exploiting the following vulnerabilities.

CVE-2016-0189 memory corruption vulnerability in Internet Explorer (IE)
CVE-2015-5119 use-after-free vulnerability in Adobe Flash Player
CVE-2018-4878 use-after-free vulnerability in Adobe Flash Player

Underminer Encrypted Tunnel and Capabilities

According to researchers, Underminer contains multiple functionalities such as browser profiling and filtering, preventing of client revisits, URL randomization, and asymmetric encryption of payloads.

When the user’s accessed the exploit kit’s landing page it detects the user’s browser Agent type and the Adobe Flash Player version. If the client profile, not suits for Underminer it redirect’s user’s to the normal site instead of causing an infection.

Also, it set’s a token with a browser cookie and if the user accesses the malicious URL again it redirects them to an HTTP page with 404 error message.

It protects the exploit code and the traffic by using an asymmetric RSA encryption and the symmetric algorithms RC4 or Rabbit.

Before the exploitation Underminer generates a random key and passes to command-and-control (C&C) server. the same key to be used for encrypting javascript and exploits.

Decryption of the exploit payload or javascript can be done only with the private key that Underminer’s operators know.

Underminer Exploitation

Threat actors behind exploit Underminer exploit multiple security flaws and has similar infection chain but differs with execution.

With the Internet Explorer (IE) Exploit CVE-2016-0189, a malicious javascript file downloaded and executed through regsvr32.exe and the malicious DLL loaded executed with rundll32.exe that retrieves the second stage payload.

The infection chain for flash exploit CVE-2015-5119 & CVE-2018-4878 is fileless, the infection starts with the shellcode executed through iexplorer.exe that downloads the malicious cabinet file executed with rundll32.exe that retrieves the second stage payload.

Underminer

The second payload downloads additional payloads via encrypted TCP tunnel and the third stage of the payload decodes them from romfs and execute it.

In the fourth stage, it coredll.bin reads the configuration files, checks the environment and then drops the files.coredll’s the main function is to migrate it self-based on the configuration. The coredll execution flow is migrated to another process which is usually signed by the manufacturer or currently running an AV program.

The fifth and the final stage of the payload, the setup2.pkg responsible for installing the bootkit from the romfs file and the pgfs.pkg installs the cryptocurrency-mining Malware. Trend Micro published a blog post along with the technical description.

“we expect Underminer to hone their techniques to further obfuscate the ways they deliver their malicious content and exploit more vulnerabilities while deterring security researchers from looking into their activities.” researchers said.

Mitigations

It is always recommended to update your application and to patch your system’s and network.

If the backdoor was already uploaded on an infected server, it is possible to block the communication between to immobilize the backdoor.

Deploying a backdoor shell protection systems to identify and intercept all malicious incoming request.

Also Read

Most Advanced Backdoor Obfuscation and Evasion Technique That used by Hackers

Hackers Distributing FELIXROOT Backdoor Malware using Microsoft Office Vulnerabilities

Malwarebytes New Browser Extension That Protects you From Visiting Malicious Websites

New Variant of Dangerous Kronos Banking Malware Spreading via Malicious Word Documents

Centralized Patch Management

Managed WAF Protection

Website

Latest articles

Cyber Attack

Hacker Customize LockBit 3.0 Ransomware to Attack Orgs Worldwide

Cybersecurity researchers at Kaspersky have uncovered evidence that cybercriminal groups are customizing the virulent...
CVE/vulnerability

Microsoft .NET, .NET Framework, & Visual Studio Vulnerable To RCE Attacks

A new remote code execution vulnerability has been identified to be affecting multiple Microsoft...
Apple

LightSpy Hackers Indian Apple Device Users to Steal Sensitive Data

The revival of the LightSpy malware campaign has been observed, focusing on Indian Apple...
Android

LightSpy Malware Attacking Android and iOS Users

A new malware known as LightSpy has been targeting Android and iOS users.This sophisticated...
Tech

This Startup Aims To Simplify End-to-End Cybersecurity, So Anyone Can Do It

The Web3 movement is going from strength to strength with every day that passes....
CVE/vulnerability

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...
CVE/vulnerability

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

    • Book Your Spot

Related Articles

Connect with GBHackers On Security

Join 70,000 Security Professionals

Stay safe online with free daily cybersecurity updates. Sign up now!

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.

Menu

Contact US:

Email : [email protected]