Underminer Exploit Kit -The More You Check, The More Evasive You Become

The Underminer exploit kit has surfaced numerous times since 2019, but here it is back again delivering the Amadey malware, as the Malwarebytes Threat Intelligence team found last week.

Exploit Kit

An exploit kit (EK), or an exploit pack, is a type of toolkit cybercriminals use to attack vulnerabilities in systems, for them to be able to distribute malware or perform other malicious activities. Exploit kits are packaged with exploits that can target commonly installed software, such as Adobe Flash®, Java®, Microsoft Silverlight®.

A typical exploit kit usually provides a management console, a bunch of vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack. Exploit kits typically integrate vulnerabilities of popular applications, which many users leave poorly patched.

It can also be used by someone who does not have any experience writing software code for creating, customizing, and distributing malware.

Underminer Exploit KitUnderminer EK was first seen in the wild in 2017, targeting Asian countries by first deploying bootkits a malware loaded during the boot process, controlling the operating system start up, modifying the system before security components are loaded,  for OS persistency and then a coinminer in a later stage. Back then, this EK spread by malvertising and exploiting browser vulnerabilities. One of the coinminers distributed by this EK was “Hidden Bee” – a covertly running Chinese miner.

When we dig into the Underminer EK, the authors seem to have a good grasp of anti-debugging techniques as they applied plenty of them. We will discuss the interesting ones below.

The first check this EK performs is the use of assembly rdtsc instruction – this instruction is used to determine how many CPU ticks took place since the processor was reset. This can also be used as an anti-debugging technique. The most common way is to use this instruction to get the current timestamp, save it in a register, then get another timestamp and check if the delta between the two is below an exact number of ticks that were pre-decided by the author. In our…