Underminer Exploit Kit Delivers Bootkit and Cryptocurrency-mining Malware
Bootkit affects system boot sectors and the cryptocurrency-mining malware called Hidden Mellifera. Underminer manages to secure the malware transfers through encrypted transmission control protocol (TCP) and it packs malware as read-only filesystem ROM files.
Security researchers from Trend Micro detected the Underminer’s activity on July 17 as it is primarily targeting Asian countries. The encryption tunnel and dumb file format make payload challenging to analyze for researchers.
The exploit appeared to be created in November 2017 and it exploiting the following vulnerabilities: CVE-2016–0189 memory corruption vulnerability in Internet Explorer (IE); CVE-2015–5119 use-after-free vulnerability in Adobe Flash Player; CVE-2018–4878 use-after-free vulnerability in Adobe Flash Player.
According to researchers, Underminer contains multiple functionalities such as browser profiling and filtering, preventing of client revisits, URL randomization, and asymmetric encryption of payloads.
When the user’s accessed the exploit kit’s landing page it detects the user’s browser Agent type and the Adobe Flash Player version. If the client profile, not suits for Underminer it redirect’s user’s to the normal site instead of causing an infection.
Also, it set’s a token with a browser cookie and if the user accesses the malicious URL again it redirects them to an HTTP page with 404 error message. It protects the exploit code and the traffic by using an asymmetric RSA encryption and the symmetric algorithms RC4 or Rabbit.
How The Underminer Exploitation Happens
Threat actors behind Underminer exploit multiple security flaws and has similar infection chain but differs with execution.
The infection chain for flash exploit CVE-2015–5119 & CVE-2018–4878 is fileless, the infection starts with the shellcode executed through iexplorer.exe that downloads the malicious cabinet file executed with rundll32.exe that retrieves the second stage payload.
The second payload downloads additional payloads via encrypted TCP tunnel and the third stage of the payload decodes them from romfs and execute it.
In the fourth stage, it coredll.bin reads the configuration files, checks the environment and then drops the files.coredll’s the main function is to migrate its self-based on the configuration. The coredll execution flow is migrated to another process which is usually signed by the manufacturer or currently running an AV program.
The fifth and the final stage of the payload, the setup2.pkg responsible for installing the bootkit from the romfs file and the pgfs.pkg installs the cryptocurrency-mining Malware. Trend Micro published a blog post along with the technical description.
How To Fight Back
It is always recommended to update your application and to patch your systems and network. If the backdoor was already uploaded on an infected server, it is possible to block the communication between to immobilize the backdoor.
Deploying a backdoor shell protection systems to identify and intercept all malicious incoming request.