Rig EK via Malvertising delivers Bunitu


I have been tracking a Rig EK campaign that drops Bunitu. It appears to be cycling domains often. I originally found it via my usual malvertising chain (Popads). Every site always has an iframe to another domain usually on the same IP which then leads to Rig EK. I believe the gate requires a correct referrer in order to appear. I’m not sure if this gate exists anywhere else in the wild or whether it is unique to the threat actors behind Bunitu.

I noticed some DNS traffic everytime a client connected to the infected host that did not trigger an ET signatures but I’m fairly sure it is Bunitu.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:


  • Article on Bunitu Trojan:



(in password protected zip)

Notable Details:

  • – onclkds.com – 302 Malvertising
  • – xml.mediacpc.com  – 302 Malvertising
  •– lifeerotic011.info – Compromised Site
  • – llifesdfgdhfjgkhlj.info – Compromised Site
  • – admin.lauraducharme.com – Rig EK
  • – u.dreamlifedust.net – Bunitu DNS Lookup 
  • – z.dreamlifedust.net – Bunitu DNS Lookup
  • Payload was 2p8uomsp.exe -> VirusTotal
  • Payload created noxiubc.dll -> VirusTotal

Details of infection chain:

(click to enlarge!)


Malvertising leads to Rig EK which delivers Bunitu proxy trojan. Bots can be seen connecting.

Full Details:

  • A malvertising chain leads to Rig EK which delivers Bunitu. The website contains an iframe which leads to another domain on the same IP which contains an iframe to Rig EK.
  • The payload was 2p8uomsp.exe
  • SHA256: 032d620e3229f62622a4bf0f150bf00876c7ea08bc4c004f16ac1cc2d5fac6ee
    File name: 2p8uomsp.exe
    Detection ratio: 7 / 61
  • Bunitu uses a DLL called noxiubc.dll.
    SHA256: f6ff9029fe8193563a9804313b39b2f8f16f6c640cfaa33373a2d2b84a52e05c
    File name: noxiubc.dll
    Detection ratio: 27 / 61
  • Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy.
  • Three bots can be seen using the proxy. According to forum posts such as this “clients.your-server.de” is suspected to be bot traffic:
  • qv-in-f100.1e100.net
  • Everytime a client connects, Bunitu issues a DNS request. Although these did not trigger any ET signatures I am sure they are initiated by Bunitu.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s