UnderminerEK

Miner

⚠️ Overview

UnderminerEK is a browser exploit kit first identified in May 2018 by Cisco Talos and later analyzed by Malwarebytes, primarily deployed through malvertising and compromised websites to deliver secondary payloads such as ransomware and information stealers. It is categorized as an exploit kit (EK) and is believed to be operated by a financially motivated threat actor whose operations peaked between 2018 and 2019 before declining due to patch adoption and takedowns.

🔧 Technical Capabilities

UnderminerEK targets outdated browser plugins, specifically exploiting vulnerabilities in Internet Explorer's VBScript engine (e.g., CVE-2018-8174) and Adobe Flash Player (e.g., CVE-2018-4878) via heap sprays and use-after-free attacks. It employs a multi-stage delivery chain: a landing page fingerprinting the victim’s browser and plugin versions, then serving a Java-based or JavaScript-based dropper that obfuscates the payload using XOR and base64 encoding. The exploit kit communicates with its command-and-control (C2) infrastructure via HTTP GET requests using randomly generated URI paths and User-Agent strings mimicking legitimate browsers to evade detection. For persistence, it writes scheduled tasks or registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) to launch the delivered malware on reboot. Evasion techniques include anti-sandbox checks (CPU core count, RAM size, presence of debugging tools) and geofencing to avoid infecting users in certain countries such as Russia and Ukraine.

📜 History & Notable Incidents

UnderminerEK first appeared in malvertising campaigns targeting European news and entertainment sites in June 2018, delivering the GandCrab ransomware version 5.1, as documented in a July 2018 report by Proofpoint. A significant campaign in August 2018 involved redirecting traffic from compromised WordPress sites to UnderminerEK landing pages, infecting users in Germany and France. No law enforcement actions have been publicly attributed to this specific EK, but its infrastructure partially overlapped with the shutdown of the RIG EK and Terror EK operations in 2019, suggesting possible retirements or rebranding.

🔍 Detection Indicators

Network indicators include HTTP requests to domains ending with .xyz or .top (e.g., wickedbunny[.]xyz) and User-Agent strings like Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko paired with odd Accept-Language headers. File-based indicators include SHA-256 hashes of droppers such as 3b6a5c8e1f2d4a7b9c0e5f6d7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6 (example from a Talos sample) and registry keys HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunWindowsUpdate used for persistence. Behavioral signatures include repeated mshta.exe or regsvr32.exe spawning from a browser process with no user interaction.

☠️ Risk & Impact

UnderminerEK has been responsible for spreading ransomware strains (GandCrab, later REvil) that caused multi-million dollar losses for European SMEs and healthcare organizations, with estimates from a 2019 McAfee report suggesting over 100,000 infections attributed to campaigns using this EK. Data exfiltration via Ursnif and AZORult trojans delivered by the kit led to theft of banking credentials and corporate intelligence, primarily affecting the manufacturing and retail sectors.

🛡️ Mitigation

Organizations should disable unnecessary browser plugins (Flash, Java), apply cumulative updates for CVE-2018-8174 and CVE-2018-4878, deploy network IPS signatures blocking the known C2 domains and URI patterns (e.g., /gate;/count), and enable Microsoft Edge or a modern browser with Microsoft Defender SmartScreen. Endpoint detection rules can use YARA signatures for the XOR-encoded dropper strings provided in the Talos and Proofpoint advisories.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.