# New Underminer Exploit Kit Discovered Pushing Bootkits and CoinMiners **[bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/](https://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/)** Catalin Cimpanu By [Catalin Cimpanu](https://www.bleepingcomputer.com/author/catalin-cimpanu/) July 28, 2018 10:33 AM 0 Security researchers have discovered a new exploit kit, currently active mainly in Asian countries, which, they say, has been busy spreading bootkits and cryptocurrency-mining (coinminer) malware. [This new exploit kit (EK) has been named Underminer in a report published yesterday by](https://blog.trendmicro.com/trendlabs-security-intelligence/new-underminer-exploit-kit-delivers-bootkit-and-cryptocurrency-mining-malware-with-encrypted-tcp-tunnel/) security firm Trend Micro. The company says it discovered the first clues of its existence last week, around July 17. [But fellow security firm Malwarebytes, which released an adjacent report that focused](https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/) mainly on the coinminer malware spread by Underminer, says it tracked down earlier signs [of this EK's activity dating back to late 2017 when it was first mentioned by Chinese security](http://webcache.googleusercontent.com/search?q=cache%3Ahttp%3A%2F%2Fbobao.360.cn%2Finterref%2Fdetail%2F248.html&ie=utf-8&oe=utf-8&client=firefox-b-ab) firm Qihoo 360. The EK appears to have spent quite a few months operating at a smaller scale before expanding its activity to other countries. According to Trend Micro, most of the web traffic flowing into Underminer is from Japan (70%), while the rest comes from Taiwan (10%), South Korea (6%), and other countries with smaller percentages. ----- ## EK uses a small number of exploits At the technical level, the exploit kit is still small in terms of the number of exploits it deploys to infect users with malware. Researchers have spotted only three. They are: **CVE-2015-5119 —a use-after-free vulnerability in Adobe Flash Player patched in July 2015** **CVE-2016-0189 —a memory corruption vulnerability in Internet Explorer (IE) patched in** May 2016 **CVE-2018-4878 —a use-after-free vulnerability in Adobe Flash Player patched in February** 2018 None is specific to Underminer, and all have been used by other EKs in the past, suggesting the EK authors have built their operation by copying the ones before it. ## Underminer has been deploying Hidden Bee malware As for the malware delivery mechanism used in recent campaigns, the EK has been seen using encrypted TCP tunnels to deploy a bootkit first —for OS persistence— and then a coinminer. Trend Micro calls this coinminer "Hidden Mellifera," while Malwarebytes refers to it as "Hidden Bee," the same name it received in the Chinese infosec community last year, when [it was first spotted and analyzed [1,](http://www.freebuf.com/column/174581.html) [2].](http://www.freebuf.com/column/175106.html) Exploit kits have been on a downward trend in the past two-three years, and usually [keeping an up-to-date browser and OS is enough to safeguard users from getting infected.](https://www.bleepingcomputer.com/news/security/an-up-to-date-browser-should-keep-users-safe-from-most-exploit-kits/) A few new exploits pop up on the market once in a while, but all are short-lived, as they have a hard time keeping their operation at profitable levels, mainly because modern browsers are harder and harder to hack, while Flash usage has gone down in recent years [[1,](https://www.bleepingcomputer.com/news/security/google-chrome-flash-usage-declines-from-80-percent-in-2014-to-under-8-percent-today/) [2].](https://www.bleepingcomputer.com/news/software/flash-used-on-5-percent-of-all-websites-down-from-285-percent-seven-years-ago/) ----- ----- ### Related Articles: [RIG Exploit Kit drops RedLine malware via Internet Explorer bug](https://www.bleepingcomputer.com/news/security/rig-exploit-kit-drops-redline-malware-via-internet-explorer-bug/) [Lenovo UEFI firmware driver bugs affect over 100 laptop models](https://www.bleepingcomputer.com/news/security/lenovo-uefi-firmware-driver-bugs-affect-over-100-laptop-models/) [Hackers exploit critical VMware CVE-2022-22954 bug, patch now](https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-vmware-cve-2022-22954-bug-patch-now/) [Bootkit](https://www.bleepingcomputer.com/tag/bootkit/) [Coinminer](https://www.bleepingcomputer.com/tag/coinminer/) [Exploit Kit](https://www.bleepingcomputer.com/tag/exploit-kit/) [Catalin Cimpanu](https://www.bleepingcomputer.com/author/catalin-cimpanu/) Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page. [Previous Article](https://www.bleepingcomputer.com/news/software/firefox-is-testing-time-travel-debugging/) [Next Article](https://www.bleepingcomputer.com/news/software/mozilla-is-working-on-a-chrome-like-site-isolation-feature-for-firefox/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----