Rig EK via Malvertising delivers Bunitu

Summary:

I have been tracking a Rig EK campaign that drops Bunitu. It appears to be cycling domains often. I originally found it via my usual malvertising chain (Popads). Every site always has an iframe to another domain usually on the same IP which then leads to Rig EK. I believe the gate requires a correct referrer in order to appear. I’m not sure if this gate exists anywhere else in the wild or whether it is unique to the threat actors behind Bunitu.

I noticed some DNS traffic everytime a client connected to the infected host that did not trigger an ET signatures but I’m fairly sure it is Bunitu.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

Downloads

(in password protected zip)

Notable Details:

  • 206.54.163.50 – onclkds.com – 302 Malvertising
  • 174.137.133.18 – xml.mediacpc.com  – 302 Malvertising
  • 78.46.232.211– lifeerotic011.info – Compromised Site
  • 78.46.232.211 – llifesdfgdhfjgkhlj.info – Compromised Site
  • 46.173.219.21 – admin.lauraducharme.com – Rig EK
  • 200.43.39.88 – u.dreamlifedust.net – Bunitu DNS Lookup 
  • 200.43.39.88 – z.dreamlifedust.net – Bunitu DNS Lookup
  • Payload was 2p8uomsp.exe -> VirusTotal
  • Payload created noxiubc.dll -> VirusTotal

Details of infection chain:

(click to enlarge!)

100417-RigBunitu.png

Malvertising leads to Rig EK which delivers Bunitu proxy trojan. Bots can be seen connecting.

Full Details:

  • A malvertising chain leads to Rig EK which delivers Bunitu. The website contains an iframe which leads to another domain on the same IP which contains an iframe to Rig EK.
  • The payload was 2p8uomsp.exe
  • SHA256: 032d620e3229f62622a4bf0f150bf00876c7ea08bc4c004f16ac1cc2d5fac6ee
    File name: 2p8uomsp.exe
    Detection ratio: 7 / 61
  • Bunitu uses a DLL called noxiubc.dll.
    SHA256: f6ff9029fe8193563a9804313b39b2f8f16f6c640cfaa33373a2d2b84a52e05c
    File name: noxiubc.dll
    Detection ratio: 27 / 61
  • Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy.
  • Three bots can be seen using the proxy. According to forum posts such as this “clients.your-server.de” is suspected to be bot traffic:
  • qv-in-f100.1e100.net
    static.114.34.40.188.clients.your-server.de
    static.87.34.40.188.clients.your-server.de
  • Everytime a client connects, Bunitu issues a DNS request. Although these did not trigger any ET signatures I am sure they are initiated by Bunitu.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s