Rig EK via Malvertising delivers Bunitu.


Another Bunitu sample from the same malvertising chain. It would appear the Flash detector, etc. is designed to catch bots as ad servers treat bots differently to real users. I do not think this script plays any role in funnelling the correct targets to Rig EK.

I do doubt the ad providers are purposely serving malicious content. However there is certainly a threat actor at work here who is using Rig EK to deliver Bunitu.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:


  • Article on Bunitu Trojan:



  • rigbunitu270217-> Contains pcapng and payload  in password protected zip.

Notable Details:

  • – go.pub2srv.com[.]net – 302 redirect
  • – onclickads[.]net – Flash version detector
  • – onclkds[.]com – 302 redirect
  • – adexchangeprediction[.]com – 302 redirect
  • – sproutgames.info – iframe redirect
  • – sproutgame15[.]pw – Compromised Site iframe redirect
  • – lol.acemedicalsafety[.]com – Rig EK
  • Payload was pawf85q6.exe -> VirusTotal

Details of infection chain:

(click to enlarge!)


302 cushioning and iframes leads to Rig EK dropping Bunitu  proxy trojan.

Full Details:

  • A malvertising URL contains a Flash version detector as well as other scripts designed to catch bots.
  • Two further 302 redirects.
  • iframe redirect to compromised website.
  • iframe to Rig EK.
  • lol.acemedicalsafety[.]com -> Landing Page -> Flash  -> Payload
  • There was no Pre-Landing page as usually seen.
  • Dropped payload “pawf85q6.exe” which is different to the usual “rad” themed ones.
  • SHA256: 06705f6df520256247e48c0da4ab81147761ef5091b012d9d5438e5121ef1187
    File name: pawf85q6.exe
    Detection ratio: 10 / 58
  • This was identified as Bunitu Trojan.
  • Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy.
  • Bunitu uses a DLL called nillvzs.dll.

Bunitu opens ports by changing firewall rules.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s