silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,207
Author: Trend Micro Cyber Safety Solutions Team
We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads. Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera. Underminer transfers malware via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). These make the exploit kits and its payload challenging to analyze.
Underminer’s activity started in July 17, distributing its payloads mainly to Asian countries. Hidden Mellifera emerged in May, and reportedly affected as much as 500,000 machines. Hidden Mellifera’s authors were also linked to the browser-hijacking trojan Hidden Soul reported in August 2017. This correlation indicates that Underminer was developed by the same cybercriminals, as Underminer also pushed Hidden Mellifera. Conversely, Underminer was delivered via an advertising server whose domain was registered using an email address used by Hidden Mellifera’s developers.
https://documents.trendmicro.com/as...bootkit-and-cryptocurrency-mining-malware.pdf