Underminer Exploit Kit

The Underminer Exploit Kit was first observed in July 2017, the exploit kit (known as ‘Hidden Bee’) has received various sophisticated updates in recent weeks.

The exploit kit employs various capabilities designed to deter reverse engineering analysis and network traffic detection, including a custom method of packaging its payloads based on the ROM file system (romfs) format.

Underminer uses a multistage system for delivering its payloads and this allows the operators to deliver custom or unique payloads depending on the campaign. It should, however, be noted that Underminer has only been observed delivering cryptocurrency mining payloads. Underminer installs a Bootkit to maintain persistence.

Underminer is delivered through drive-by-downloads on targeted dating websites. The drive-by download exploits either a Flash vulnerability (CVE-2018-4878) or an Internet Explorer exploit (CVE-2018-8174) depending on the web browser type. Both of which the Fallout Exploit Kit is known to leverage.

Indicators of Compromise

IP Addresses

  • 144.202.87[.]106
  • 133.130.101[.]254
  • 67.198.208[.]110
  • 103.35.72[.]223
  • 98.126.222[.]187


  • setup.gohub[.]online:1108/setup.bin?id=128

SHA256 File Hashes

  • [52he3kf2g2rr6l5s1as2u0198k.wasm] CCD77AC6FE0C49B4F71552274764CCDDCBA9994DF33CC1240174BCAB11B52313
  • [glfw.wasm] 087FD1F1932CDC1949B6BBBD56C7689636DD47043C2F0B6002C9AFB979D0C1DD
  • [*.swf] d75710ebc8516e73e3a8dd7d1ad1ebc3221b7a141659c7e84b9f5f97dd7ec09e
  • [*.swf] 5574f4b0b507130db06072930016ed5d2ef79aaa1262faddfdb88891c1599672

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: