Threat Report

Wednesday August 1, 2018

According to Trend Micro, a new exploit kit UnderMiner contains features that make it difficult for researchers to track it and reverse engineer its payloads. Trend Micro researchers state that the exploit kit is currently being used against victims in Asian countries, primarily users in Japan. Underminer delivers a bootkit that infects system boot sectors as well as Hidden Mellifera (Hidden Bee), a cryptocurrency-mining malware. Trend Micro researchers first observed the exploit kit on Jul 17, 2018. Also this week, security researchers at McAfee Labs have recently identified an increasing number of actors using fileless attacks. These fileless attacks don’t drop a malware on the system, rather they use the tools installed in the system. Researchers note that one fileless threat, CactusTorch, uses “DotNetToJScript” technique that executes custom shellcode on Windows System straight from the memory.

Malware: UnderMiner

UnderMiner is capable of browser profiling and filtering, preventing client revisits, URL randomization, and asymmetric encryption of payloads. Malware is transferred via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format (much like the ROM file system format), which makes analysis for researchers difficult. Underminer has been observed exploiting three major vulnerabilities: CVE-2015-5119, CVE-2016-0189, and CVE-2018-4878.

For more information there are a few links below:



Some Mitigation Strategies:

File Integrity Management (FIM) to monitor for the creation of files and scripts
Intrusion detection systems (IDS) would detect communication C2 for additional payloads
Web Filtration would detect the use of malicious urls or unknown sites
24x7 Security Monitoring for malicious behavior and immediate incident response.

Malware: DotNetToJScript

DotNetToJScript doesn’t write any .NET assemblies on the system, that lead security softwares to often fail to detect these type of attack. CactusTorch loads and executes malicious . NET assemblies, which are the smallest deployment of an application. Corporate networks and single users alike are vulnerable to this type of attack. Security applications such as McAfee Endpoint Security (ENS) and Host Intrusion Prevention System (HIPS) clients are protected from this type of fileless attack.



Some Mitigation Strategies:

File Integrity Management (FIM) to monitor for wscript.exe, which is only file created
Intrusion detection systems (IDS) to monitor for malicious outbound communication
24x7 Security Monitoring to check for GPS consistency with locations of vehicles.

Stephen Coty

Stephen Coty