I have stumbled across multiple “ad servers” which check for versions of Flash. I was playing around with one and was getting redirect to random sites. After a while I was redirected to Rig EK. Bunitu was dropped by Rig which was a nice change from the usual Cerber.
I believe these “ad servers” might be great for EK hunting. I have already found Sundown EK in this manner.
- A few articles on Rig exploit kit and it’s evolution:
- Article on the PseudoDarkleech campaign and its history:
- Article on Bunitu Trojan:
- rigbunitu-150217-> Contains pcapng and payload in password protected zip.
- 22.214.171.124 – onclickads[.]net – Flash version detector
- 126.96.36.199 – onclkds[.]com – 302 redirect
- 188.8.131.52 – adexchangeprediction[.]com – 302 redirect
- 184.108.40.206 – holdem-pokers.info – iframe redirect
- 220.127.116.11 – poks122[.]pw – Compromised Site iframe redirect
- 18.104.22.168 – old.thebestdallasdentists[.]com – Rig EK
- 245.147.26.100 – plastic.firgo6slike.net – DNS request from Bunitu
- Payload was rad73363.tmp.exe -> VirusTotal
Details of infection chain:
(click to enlarge!)
- A malvertising URL contains a Flash version detector.
- Two further 302 redirects.
- iframe redirect to compromised website.
- iframe to Rig EK.
- old.thebestdallasdentists[.]com -> Pre-Landing -> Landing Page -> Flash -> Payload
- Dropped payload “rad73363.tmp.exe”.
SHA256: fa092bfd24a1255d5e870b447cfc229e3bc6b0dd3f59ade7fa7369aff45b7a29 File name: rad73363.tmp.exe Detection ratio: 10 / 58
- This was identified as Bunitu Trojan.
- Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy.
- Bunitu uses a DLL called vsgliig.dll.
- ETPRO TROJAN Win32.Bunitu DNS Lookup (A Network Trojan was Detected)