Threat Report
According to Trend Micro, a new exploit kit UnderMiner contains features that make it difficult for researchers to track it and reverse engineer its payloads. Trend Micro researchers state that the exploit kit is currently being used against victims in Asian countries, primarily users in Japan. Underminer delivers a bootkit that infects system boot sectors as well as Hidden Mellifera (Hidden Bee), a cryptocurrency-mining malware. Trend Micro researchers first observed the exploit kit on Jul 17, 2018. Also this week, security researchers at McAfee Labs have recently identified an increasing number of actors using fileless attacks. These fileless attacks don’t drop a malware on the system, rather they use the tools installed in the system. Researchers note that one fileless threat, CactusTorch, uses “DotNetToJScript” technique that executes custom shellcode on Windows System straight from the memory.
Malware: UnderMiner
UnderMiner is capable of browser profiling and filtering, preventing client revisits, URL randomization, and asymmetric encryption of payloads. Malware is transferred via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format (much like the ROM file system format), which makes analysis for researchers difficult. Underminer has been observed exploiting three major vulnerabilities: CVE-2015-5119, CVE-2016-0189, and CVE-2018-4878.
For more information there are a few links below:
Some Mitigation Strategies:
File Integrity Management (FIM) to monitor for the creation of files and scripts Intrusion detection systems (IDS) would detect communication C2 for additional payloads Web Filtration would detect the use of malicious urls or unknown sites 24x7 Security Monitoring for malicious behavior and immediate incident response.
Malware: DotNetToJScript
DotNetToJScript doesn’t write any .NET assemblies on the system, that lead security softwares to often fail to detect these type of attack. CactusTorch loads and executes malicious . NET assemblies, which are the smallest deployment of an application. Corporate networks and single users alike are vulnerable to this type of attack. Security applications such as McAfee Endpoint Security (ENS) and Host Intrusion Prevention System (HIPS) clients are protected from this type of fileless attack.
Some Mitigation Strategies:
File Integrity Management (FIM) to monitor for wscript.exe, which is only file created Intrusion detection systems (IDS) to monitor for malicious outbound communication 24x7 Security Monitoring to check for GPS consistency with locations of vehicles.
We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com
Next: Threat Report Tuesday July 23rd 2018
Share this on: