Hackers are using the new Underminer exploit kit to drop Hidden Mellifera cryptominer

• The Underminer exploit kit comes packed with detection-evading features.
• Underminer transfers malware cia the encrypted TCP tunnel.

A new exploit kit called Underminer has been uncovered by security researchers, which is being used by cybercriminals to infect systems with a cryptocurrency mining malware called Hidden Mellifera.

Underminer delivers malware using the encrypted transmission control protocol (TCP) tunnel and packages the malicious files with a customized format, which makes it difficult to analyse for security researchers.

Who created Underminer?

According to security researchers at Trend Micro, who discovered the new exploit kit, the new Underminer campaign began on July 17 and has since infected numerous systems across Asia. Meanwhile, the Hidden Mellifera cryptocurrency miner first appeared in May and has since infected around 500,000 systems across the globe.

Trend Micro researchers believe that the cybercriminals behind Hidden Mellifera are linked to the malware operators behind the 2017 browser-hijacking malware Hidden Soul. The researchers suspect that Underminer was likely also written by the same cybercriminals who developed Hidden Mellifera and Hidden Soul.

The researchers found that Underminer was delivered via an ad server whose domain was registered using the same email address used by Hidden Mellifera’s developers.

Underminer’s capabilities

Like other exploit kits, Underminer also contains functionalities such as browser profiling and filtering, prevention of client revisits, URL randomization and more.

“Underminer’s landing page can profile and detect the user’s Adobe Flash Player version and browser type via user-agent,” Trend Micro researchers wrote in a blog. If the client’s profile does not match their target of interest, they will not deliver malicious content and redirect it to a normal website instead.”

The exploit kit has also been designed to set a token to the browser cookie, which prevents Underminer from attacking the same victim more than once and also impedes researchers’ attempts at reproducing the attack.

Modus operandi

Underminer uses RSA encryption to protect its exploit code and deter traffic from being replayed. The exploit generates a random key and sends it to the C2 server before exploiting any vulnerabilities.

“Underminer also employs RSA encryption during the key’s transmission to further protect it (the random key is encrypted with a public key embedded on their code). It can only be decrypted by a private key, which only Underminer’s operators know,” Trend Micro researchers said. “This technique is similar to one used by other exploit kits, notably Angler, Nuclear, and Astrum, but those use the Diffie-Hellman algorithm.”

Although exploit kits may no longer be cybercriminals’ go-to tools, the new Underminer campaign indicates that despite having taken a backseat, exploit kits are still a persistent threat.

“Like other exploits before it, we expect Underminer to hone their techniques to further obfuscate the ways they deliver their malicious content and exploit more vulnerabilities while deterring security researchers from looking into their activities,” Trend Micro researchers said. “And given the nature of their operations, we also expect them to diversify their payloads.”