Rig EK via Malvertising delivers Bunitu Trojan


I have stumbled across multiple “ad servers” which check for versions of Flash. I was playing around with one and was getting redirect to random sites. After a while I was redirected to Rig EK. Bunitu was dropped by Rig which was a nice change from the usual Cerber.

I believe these “ad servers” might be great for EK hunting. I have already found Sundown EK in this manner.


Background Information:

  • A few articles on Rig exploit kit and it’s evolution:


  • Article on the PseudoDarkleech campaign and its history:


  • Article on Bunitu Trojan:



Notable Details:

  • – onclickads[.]net – Flash version detector
  • – onclkds[.]com – 302 redirect
  • – adexchangeprediction[.]com – 302 redirect
  • – holdem-pokers.info – iframe redirect
  • – poks122[.]pw – Compromised Site iframe redirect
  • – old.thebestdallasdentists[.]com – Rig EK
  •  plastic.firgo6slike.net – DNS request from Bunitu
  • Payload was rad73363.tmp.exe -> VirusTotal

Details of infection chain:

(click to enlarge!)



Malvertising chain starting with Flash detector leads to Rig EK which drops Bunitu Trojan.


Full Details:

  • A malvertising URL contains a Flash version detector.
  • Two further 302 redirects.
  • iframe redirect to compromised website.
  • iframe to Rig EK.
  • old.thebestdallasdentists[.]com -> Pre-Landing -> Landing Page -> Flash  -> Payload
  • Dropped payload “rad73363.tmp.exe”.
  • SHA256: fa092bfd24a1255d5e870b447cfc229e3bc6b0dd3f59ade7fa7369aff45b7a29
    File name: rad73363.tmp.exe
    Detection ratio: 10 / 58
  • This was identified as Bunitu Trojan.
  • Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy.
  • Bunitu uses a DLL called vsgliig.dll.
  • ETPRO TROJAN Win32.Bunitu DNS Lookup (A Network Trojan was Detected) [2824943]

Bunitu opens ports by changing firewall rules.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s