The Underminer exploit kit has surfaced numerous times since 2019, but here it is back again delivering the Amadey malware, as the Malwarebytes Threat Intelligence team found last week.
An exploit kit (EK), or an exploit pack, is a type of toolkit cybercriminals use to attack vulnerabilities in systems, for them to be able to distribute malware or perform other malicious activities. Exploit kits are packaged with exploits that can target commonly installed software, such as Adobe Flash®, Java®, Microsoft Silverlight®.
A typical exploit kit usually provides a management console, a bunch of vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack. Exploit kits typically integrate vulnerabilities of popular applications, which many users leave poorly patched.
It can also be used by someone who does not have any experience writing software code for creating, customizing, and distributing malware.
Underminer Exploit Kit
Underminer EK was first seen in the wild in 2017, targeting Asian countries by first deploying bootkits. This is a malware loaded during the boot process, which controlled the operating system start up, modifying the system before security components are loaded, for OS persistency and then a coinminer at a later stage. Back then, this EK spread by malvertising and exploiting browser vulnerabilities. One of the coinminers distributed by this EK was “Hidden Bee” - a covertly running Chinese miner.
When we dig into the Underminer EK, the authors seem to have a good grasp of anti-debugging techniques, as they applied plenty of them. We will discuss some interesting ones below.
The first check this EK performs is the use of assembly rdtsc instruction – this instruction is used to determine how many CPU ticks have taken place since the processor was reset. This can also be used as an anti-debugging technique. The most common way is to use this instruction to get the current timestamp, save it in a register, then get another timestamp and check if the delta between the two is below the exact number of ticks that were pre-decided by the author. In our sample, the second timestamp and the comparison were carried out long after the first timestamp was saved in the memory:
Figure 1 First Timestamp check
Next, in case the Avast library is loaded into the running process, the EK detaches the DLL_LOAD signal from aswhook.dll (Avast Hook Library) so that Avast AV will not capture the later DLL loading event.
Figure 2 DLL_LOAD Detach
The Underminer remaps ntdll.dll and several others, a technique that might be used to bypass User-Mode Hooks.
The kit also checks if one of the following security products are installed under C:\Program Data by checking for the existence of the following products’ directories:
- Avast Software
- Kaspersky Lab
- Panda Security
- Doctor Web
In addition, Underminer EK uses several more popular techniques to check whether the process is being actively debugged. This EK didn’t perform any anti-vm or anti-emulation techniques.
Later, the malware creates a “3e5d740863” folder under C:\Users\Username\AppData\local\Temp (user’s temporary directory)and copies itself into it. The malware will add a registry key ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders’ and pass the newly created folder path as a key value, which is a persistency technique in which the folder’s content will be executed at user login, known as MITRE T1547.001.
After the file copy, the malware will execute the newly copied file and terminate the current process.
To become even more persistent in the system, Underminer creates a scheduled task that will execute malicious file every day at 01:00 AM. The scheduled task name is the executable's name, and it is run with the user's credentials.
Our sample connects two command and control servers, and passes the information of the infected station to them:
The information being passed is:
- Victim ID
- A version of the malware
- PC name
- We assume, the number of binaries installed
The next stage is to download and execute additional malware. We checked the malware twice and got two different executables; one of them was an Oski Stealer and another new, well packed .Net stealer.
Oski Stealer is a malicious information stealer, which was first introduced in November 2019. The Oski stealer steals personal and sensitive credentials from its target, eventually being misused to clean out the user’s liquid assets.
The second stealer, (with the original name of ‘Licensing.exe’) seems to have some code borrowed from RedLine Stealer. It steals browser credentials, crypto wallets, file share credentials etc. It connects to the command-and-control server via the 16713 TCP port.
As a side note, info stealers might be co-opted into the cycle of various kinds of attacks, and ransomware campaigns in particular. While serving a reliable method for criminals to obtain credentials tied to financial accounts, they have also started using ‘information stealers’ to obtain corporate remote network login credentials, like virtual private networks (VPNs) or remote desktop software. corporate remote network login credentials, like virtual private networks (VPNs) or remote desktop software.
Without being dependent on the drop file, Underminer exploit kit creates a new registry key to gain persistence over the dropped malware. The key will be added under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
At the time this blog was published, the command-and-control server was still operating and continues to distribute different types of malware.
Minerva Labs Hostile Environment Simulation and Critical Asset Protection modules prevent the remap of DLLs required for Underminer exploit kit to carry out its attack, thus preventing additional malware drops.
To learn more about about malware prevention:
- 7a7a128a51a5e153c55481518bdffe67093e94d99845531918ff50875a13e5fe – dllhost.exe – Underminer EK
- 0fa23ba39a85ad3a28d71e1d50edc2c39046d2ffe36fb257e8953acee7726924 – vt.zip – Oski Stealer
- eb0c56870fb482ff798dab0048ff1b8a7010f6ce6b769e9ffffc569070898624 – ic.exe (Licencing.exe)
- web.jsonpost[.]xyz – C&C server
- web.xmlpost[.]xyz – C&C server
- web.jsonpost[.]xyz/sj2vMs/index.php?scr=1 – C&C server
- web.xmlpost[.]xyz/sj2vMs/index.php?scr=1 – C&C server
- http://169.197.142[.]162/vt.zip - Oski Stealer
169.197.142[.]162 - Underminer C&C
194.124.213[.]221 – Licensing C&C