Malware News New Underminer Exploit Kit Delivers Bootkit and Cryptocurrency-mining Malware with Encrypted TCP Tunnel

[silversurfer]

Content source

https://blog.trendmicro.com/trendlabs-security-intelligence/new-underminer-exploit-kit-delivers-bootkit-and-cryptocurrency-mining-malware-with-encrypted-tcp-tunnel/

Author: Trend Micro Cyber Safety Solutions Team

We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads. Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera. Underminer transfers malware via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). These make the exploit kits and its payload challenging to analyze.

Underminer’s activity started in July 17, distributing its payloads mainly to Asian countries. Hidden Mellifera emerged in May, and reportedly affected as much as 500,000 machines. Hidden Mellifera’s authors were also linked to the browser-hijacking trojan Hidden Soul reported in August 2017. This correlation indicates that Underminer was developed by the same cybercriminals, as Underminer also pushed Hidden Mellifera. Conversely, Underminer was delivered via an advertising server whose domain was registered using an email address used by Hidden Mellifera’s developers.

https://documents.trendmicro.com/as...bootkit-and-cryptocurrency-mining-malware.pdf