The “Underminer” exploit kit is having widespread impact in Asian countries, particularly Japan. Thankfully, mitigation is relatively simple and involves patching and other well-known security best practices.
Contrary to popular belief, the exploit kit is not dead yet. “Underminer,” an exploit kit named and discovered by Trend Micro, is having widespread impact in Asian countries, particularly Japan. Its nefarious bootkit affects the system’s boot sectors and delivers the coin mining payload named Hidden Mellifera.
While the continued decline of Adobe Flash has led to a reduction in the prevalence of Exploit Kits, enterprises need to remember this attack vector remains a real problem. Underminer is quite sophisticated and has many of the capabilities utilized by other problematic exploit kits, including user-agent/browser profiling to determine Flash Player version and cookie detection to prevent repeated exploit site visits. In addition, RSA encryption of traffic is utilized prior to exploitation.
The following diagram from Trend Micro provides a useful high-level view of the stages and vectors of Underminer:
As of 4:45 am EDT on July 27, the antivirus (AV) programs tested by VirusTotal have very limited coverage of the provided SHA-256 checksums (3/40). However, that’s bound to change with time and is likely due to the localized exploitation. Thankfully, mitigation is relatively simple and involves patching and other well-known security best practices, such as preventing unnecessary browser plugins, good firewall hygiene, antivirus updates, user awareness and so on.
Antivirus programs tested by VirusTotal
Tenable’s Coverage for Underminer Exploit Kit
Adobe Flash Player
MS KB3065823: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
MS16-051: Cumulative Security Update for Internet Explorer (3155533)
MS16-053: Cumulative Security Update for JScript and VBScript (3156764)
Adobe Flash Player
KB4074595: Security update for Adobe Flash Player (February 2018)