I have been tracking Rig EK campaigns that drop Bunitu for a while now but lately I’ve had some trouble with my lab getting the payload to download properly. Fortunately I have a sandbox which I can use. I’m sure I will figure out the issue!
This particular compromised site at 220.127.116.11 has a fairly long history of changing it’s domains. It is similar to 18.104.22.168 which is the other IP that I know of. They all contain an iframe leading to a URL on the same IP which contains another iframe which leads to Rig EK. As before this iframe contains the tag “small” so I like to call it the “small gate”.
- A few articles on Rig exploit kit and it’s evolution:
- Article on Bunitu Trojan:
(in password protected zip)
- 12-May-2017-Rig-Bunitu -> Pcap
- 12-May-2017-Bunitu -> Bunitu (exe and dll)
- 12-May-2017-Rig-Bunitu-CSV -> CSV of traffic
As a bonus I’ve also included a deobfuscated version of the landing page:
Details of infection chain:
(click to enlarge!)
- A malvertising chain leads to Rig EK which delivers Bunitu. The website contains an iframe which leads to another domain on the same IP which contains an iframe to Rig EK.
- The payload was rritws0m.exe though i renamed it.
SHA256: 817e477fcf49c02945e2929d7e661bc25bd1e35a564ac65ae368efdeddc21725 File name: 817e477fcf49c02945e2929d7e661bc25bd1e35a564ac65ae368efdeddc21725.bin Detection ratio: 12 / 61
- Bunitu uses a DLL called zazxirr.dll.
SHA256: 9c0d1b7105f3cbbbfee53e977a82d9ef70b0034392238a910daca68ee00c3158 File name: zazxirr.dll.bin Detection ratio: 19 / 61
- Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy.
- Every time a client connects, Bunitu issues a DNS request. Although these did not trigger any ET signatures I am sure they are initiated by Bunitu.