Underminer Exploit Kit Spreading Bootkits and Cryptocurrency Miners

A new Underminer exploit kit releases a bootkit which, in turn, causes the system’s boot sectors to become infected.

Trend Micro researchers found this new exploit kit that they have dubbed Underminer exploit kit. It essentially distributes a bootkit that not only infects the boot sectors of the system, but also deploys a cryptocurrency miner that has been dubbed Hidden Mellifera.

TrendMicro published some analysis that read: “We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads. Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera.”

The first activity of the Underminer Exploit was first discovered by researchers on July 17th, 2018. It was uncovered while it was delivering payloads mostly to countries in Asia:  Taiwan ( 10.52 %) and Japan (69.75%)

The malicious payloads are transferred by Underminer via an encrypted transmission protocol or TCP tunnel. It then packages its malicious files with its own customized format, a format that is akin to ROM file system format or romfs. This, in turn, makes analyzing the malicious code a difficult task, experts say.

It appears that the Underminer exploit kit was essentially created sometime back in November of 2017. Back then, the code for exploiting Flash vulnerabilities was the only code included, and file-less payloads were used in the delivery and execution of the malware.

Comments? Please leave them below

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients