Delaware, USA – July 30, 2018 – Newly discovered Underminer Exploit Kit targets Asian countries. The first traces of the Exploit Kit were discovered in November 2017, and its operators managed to stay below the radar since the middle of July until the attackers increased the scale and number of target countries. Adversaries started spreading of Hidden Mellifera malware and infected about half a million computers, more than two-thirds of which are located in Japan. They attract victims to Underminer landing page via malicious ads and exploit patched in February vulnerability in Microsoft Internet Explorer CVE-2018-4878 along with two other even older vulnerabilities in IE and Flash player. Its landing page determines browser and Flash Player versions, so the EK attacks only vulnerable versions. Also, the Exploit Kit redirects users already infected with Hidden Mellifera malware to a regular website or an error page, and it avoids detection from antivirus solutions by randomizing the path in the URLs used in the attacks. To ensure the persistence on the infected system, adversaries install a bootkit, which will run the cryptocurrency miner every time the system is booted.
Threat actors behind Underminer EK created a sophisticated exploit chain for mining cryptocurrency. Despite the fact that most Exploit Kit survive the decline, the remaining on the stage are modernized and study new tricks. To protect against them, you need to install all security updates for browsers and Flash Player. It is also necessary to closely monitor Microsoft Windows security events and investigate any suspicious activity. Windows Security Monitor helps SIEM to visualize and profile Active Directory and Windows security events that require a separate investigation.