I have been tracking a Rig EK campaign that drops Bunitu. It appears to be cycling domains often. I originally found it via my usual malvertising chain (Popads). Every site always has an iframe to another domain usually on the same IP which then leads to Rig EK. I believe the gate requires a correct referrer in order to appear. I’m not sure if this gate exists anywhere else in the wild or whether it is unique to the threat actors behind Bunitu.
I noticed some DNS traffic everytime a client connected to the infected host that did not trigger an ET signatures but I’m fairly sure it is Bunitu.
- A few articles on Rig exploit kit and it’s evolution:
- Article on Bunitu Trojan:
(in password protected zip)
- 100417-RigBunitu -> Pcap
- 100417-Bunitu -> Bunitu (exe and dll)
- 18.104.22.168 – onclkds.com – 302 Malvertising
- 22.214.171.124 – xml.mediacpc.com – 302 Malvertising
- 126.96.36.199– lifeerotic011.info – Compromised Site
- 188.8.131.52 – llifesdfgdhfjgkhlj.info – Compromised Site
- 184.108.40.206 – admin.lauraducharme.com – Rig EK
- 220.127.116.11 – u.dreamlifedust.net – Bunitu DNS Lookup
- 18.104.22.168 – z.dreamlifedust.net – Bunitu DNS Lookup
- Payload was 2p8uomsp.exe -> VirusTotal
- Payload created noxiubc.dll -> VirusTotal
Details of infection chain:
(click to enlarge!)
- A malvertising chain leads to Rig EK which delivers Bunitu. The website contains an iframe which leads to another domain on the same IP which contains an iframe to Rig EK.
- The payload was 2p8uomsp.exe
SHA256: 032d620e3229f62622a4bf0f150bf00876c7ea08bc4c004f16ac1cc2d5fac6ee File name: 2p8uomsp.exe Detection ratio: 7 / 61
- Bunitu uses a DLL called noxiubc.dll.
SHA256: f6ff9029fe8193563a9804313b39b2f8f16f6c640cfaa33373a2d2b84a52e05c File name: noxiubc.dll Detection ratio: 27 / 61
- Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy.
- Three bots can be seen using the proxy. According to forum posts such as this “clients.your-server.de” is suspected to be bot traffic:
- Everytime a client connects, Bunitu issues a DNS request. Although these did not trigger any ET signatures I am sure they are initiated by Bunitu.