Rig EK drops Bunitu Proxy Trojan

Summary:

I have been tracking Rig EK campaigns that drop Bunitu for a while now but lately I’ve had some trouble with my lab getting the payload to download properly. Fortunately I have a sandbox which I can use. I’m sure I will figure out the issue!

This particular compromised site at 78.47.1.194 has a fairly long history of changing it’s domains. It is similar to 78.46.232.211 which is the other IP that I know of. They all contain an iframe leading to a URL on the same IP which contains another iframe which leads to Rig EK. As before this iframe contains the tag “small” so I like to call it the “small gate”.

As I ran this one in my sandbox, it evaluated the JavaScript and removed all the obfuscation save for base64. This is available to download below.

Background Information:

  • A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

  • Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

Downloads

(in password protected zip)

As a bonus I’ve also included a deobfuscated version of the landing page:

Details of infection chain:

(click to enlarge!)

RigBunitu.png

Rig EK drops Bunitu. The compromised website appears to be a game.

Full Details:

  • A malvertising chain leads to Rig EK which delivers Bunitu. The website contains an iframe which leads to another domain on the same IP which contains an iframe to Rig EK.
  • The payload was rritws0m.exe though i renamed it.
  • SHA256: 817e477fcf49c02945e2929d7e661bc25bd1e35a564ac65ae368efdeddc21725
    File name: 817e477fcf49c02945e2929d7e661bc25bd1e35a564ac65ae368efdeddc21725.bin
    Detection ratio: 12 / 61
  • Bunitu uses a DLL called zazxirr.dll.
  • SHA256: 9c0d1b7105f3cbbbfee53e977a82d9ef70b0034392238a910daca68ee00c3158
    File name: zazxirr.dll.bin
    Detection ratio: 19 / 61
  • Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy.
  • Every time a client connects, Bunitu issues a DNS request. Although these did not trigger any ET signatures I am sure they are initiated by Bunitu.DNS

6 thoughts on “Rig EK drops Bunitu Proxy Trojan

  1. Pingback: Shadowfall - InfoSecHotSpot

  2. Pingback: Rig EK via Fake EVE Online website drops Bunitu. | Zerophage Malware

  3. Pingback: Four Rig EK Flows from Malvertising (Bunitu & Chthonic) | Zerophage Malware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s