Summary:
I have been tracking Rig EK campaigns that drop Bunitu for a while now but lately I’ve had some trouble with my lab getting the payload to download properly. Fortunately I have a sandbox which I can use. I’m sure I will figure out the issue!
This particular compromised site at 78.47.1.194 has a fairly long history of changing it’s domains. It is similar to 78.46.232.211 which is the other IP that I know of. They all contain an iframe leading to a URL on the same IP which contains another iframe which leads to Rig EK. As before this iframe contains the tag “small” so I like to call it the “small gate”.
As I ran this one in my sandbox, it evaluated the JavaScript and removed all the obfuscation save for base64. This is available to download below.
Background Information:
- A few articles on Rig exploit kit and it’s evolution:
https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html
- Article on Bunitu Trojan:
https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/
Downloads
(in password protected zip)
- 12-May-2017-Rig-Bunitu -> Pcap
- 12-May-2017-Bunitu -> Bunitu (exe and dll)
- 12-May-2017-Rig-Bunitu-CSV -> CSV of traffic
As a bonus I’ve also included a deobfuscated version of the landing page:
Details of infection chain:
(click to enlarge!)
Full Details:
- A malvertising chain leads to Rig EK which delivers Bunitu. The website contains an iframe which leads to another domain on the same IP which contains an iframe to Rig EK.
- The payload was rritws0m.exe though i renamed it.
-
SHA256: 817e477fcf49c02945e2929d7e661bc25bd1e35a564ac65ae368efdeddc21725 File name: 817e477fcf49c02945e2929d7e661bc25bd1e35a564ac65ae368efdeddc21725.bin Detection ratio: 12 / 61 - Bunitu uses a DLL called zazxirr.dll.
-
SHA256: 9c0d1b7105f3cbbbfee53e977a82d9ef70b0034392238a910daca68ee00c3158 File name: zazxirr.dll.bin Detection ratio: 19 / 61 - Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy.
- Every time a client connects, Bunitu issues a DNS request. Although these did not trigger any ET signatures I am sure they are initiated by Bunitu.
What’s the password?
LikeLike
infected
LikeLike
Thank You
LikeLike
Pingback: Shadowfall - InfoSecHotSpot
Pingback: Rig EK via Fake EVE Online website drops Bunitu. | Zerophage Malware
Pingback: Four Rig EK Flows from Malvertising (Bunitu & Chthonic) | Zerophage Malware