Rig EK via RoughTed Malvertising drops Kovter


I stumbled across an article by MalwareBytes regarding a “new” malvertising campaign they had called “RoughTed” on account of the first domain they discovered. I have not seen anyone report Rig EK publicly at least not Twitter from this campaign. Apparently it is almost a year old.

Anyway I attempted several runs and eventually landed on Rig EK which dropped Kovter click-fraud malware. Initially I did not know what this malware was having never seen it so I requested the aid of @Antelox who identified it but also noted that it was loaded by a PowerShell script which was unusual for Kovter.

The iframe to Rig EK is interesting, almost unnecessarily large script that likely does other things. Pour over the PCAP/CSV and HA report for IOC’s.


Background Information:

  • A few articles on Rig exploit kit and it’s evolution:


  • Article on Rough Ted:


  • Article on Kovter:



(in password protected zip: (infected))

Details of infection chain:

(click to enlarge!)


Rig EK via Rough Ted Malvertising drops Kovter via a powershell loader.

Full Details:

RoughTed is a malvertising operation known for it’s wide scope. See the MalwareBytes article above for a more in depth dive. In this chain I started with the RoughTed URL and within 5 second Rig EK had dropped a payload.


A series of 302 redirects and a check for time and possibly geo ip finally led to a domain that contained a script that appears to load Rig EK into an iframe.


Rig EK contained a pre-landing page which makes several environment checks before initiating a POST request to the landing page.


Rig Dropped Kovter – a click fraud malware known for its persistence techniques.

SHA256: 9674fe85726c33f982d58eb362cd598cd944dd8f3f9d0a1b5506b9470cb4b57e
File name: muabump0.exe
Detection ratio: 20 / 59

Although the malware ran fine on my machine, i did sumbit it to Hybrid Analysis to identify all IOC’s. I missed the loader part which was identified by @Antelox when I gave him the sample to identify. Kovter appeared to be loaded by a huge powershell script. The image below is at max zoom and is only a 1/3rd of the script.


Below is the bottom half the the infographic which shows Kovter’s persistence.

It is described in great detail by MalwareBytes. I used the article to match IOC’s.




One thought on “Rig EK via RoughTed Malvertising drops Kovter

  1. Pingback: Magnitude EK via RoughTed drops Cerber Ransomware | Zerophage Malware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s