Researchers from Trend Micro detected the Underminers activity on July 17 at it is primarily targeting Asian countries. The encryption tunnel and dumb file format make payload challenging to analyze for researchers. The exploit appeared to be created in November 2017 and it exploiting the following vulnerabilities. The infection chain for flash exploit CVE-2015-5119 & CVE-2018-4878 is fileless, the infection starts with the shellcode executed through iexplorer.exe that downloads the malicious cabinet file. The second payload downloads additional payloads via encrypted TCP tunnel and the third stage of the payload decodes them from romfs and execute it.”]
Source: https://gbhackers.com/underminer-cryptocurrency-malware/