Hidden Bee cryptocurrency miner delivered via Underminer exploit kit

• The cryptocurrency miner is distributed via a drive-by download attack that exploits a Flash Player vulnerability.
• The campaign leverages malvertising via adult sites that redirect victims to the Underminer exploit kit landing page.

A new campaign has been uncovered, which makes use of the Underminer exploit kit (EK) to drop the Hidden Bee cryptocurrency miner. The campaign also makes use of a Flash Player flaw to deliver the malware through a drive-by download attack.

The campaign leverages malvertising via adult sites that redirect victims to the Underminer exploit kit’s landing page.

Hidden Bee miner campaign

The cybercriminals behind the campaign are using a server that contains a malicious ifram, which poses as an online dating service, for infection and exploitation purposes.

According to security researchers at Malwarebytes, who discovered the new Hidden Bee campaign, the attackers appear to be targeting victims in Asian countries. The researchers also discovered that unlike other exploit kits, which generally use encryption to obfuscate their landing page and exploits, Underminer requires a key exchange with the backend server to decrypt and execute the exploit.

“The payload served in this campaign is also out of the ordinary because it is not a standard PE file,” Malwarebytes researchers wrote in a blog. “Instead, it is a multiple-stage custom executable format, acting also as a downloader to retrieve LUA scripts used by the threat actors behind the Hidden Bee miner botnet. This was perhaps the first case of a bootkit being used to enslave machines mining cryptocurrencies.”

Underminer EK

The Underminer EK, which was recently discovered by Trend Micro researchers, was previously not a part of this campaign. The attackers behind the campaign also had not used the Flash Player exploit previously.

According to Malwarebytes researchers, the entire exploitation and payload retrieval process of the campaign is fairly complicated, especially given that this is a drive-by campaign.

“This attack is interesting on many levels for its use of different technologies both in the exploit delivery part as well as how the payload is packaged. According to our telemetry, we believe it is also focused on a select few Asian countries, which makes sense when taking its payload into consideration,” Malwarebytes researchers noted. “It also shows that threat actors haven’t completely given up on exploit kits, despite a noted downward trend over the last couple of years.”