Fobos Campaign Using RIG EK to Drop Bunitu Trojan

This campaign has been dubbed “Fobos” because the actors were using the registrant email address fobos@mail.ru. FireEye first published an article back in March 2017, that talked about Fobos in relation to RIG exploit kit called “Still Getting Served: A Look at Recent Malvertising Campaigns Involving Exploit Kits.” The article mentioned that they started tracking this campaign in the final quarter of 2016 and that the threat actors were using 302 redirects from ads to load the casino-themed Fobos domains. These Fobos domains contained iframes which redirected to RIG exploit kit.

The HTTP traffic from this infection is shown below:

Traffic

777betx[.]info is one of the Fobos domains which contained an iframe pointing to 213jkhgfdghj[.]ga/bbc/index.php, another domain used by these operators:

iframe 2

213jkhgfdghj[.]ga/bbc/index.php returns a script that contains the iframe pointing to the RIG exploit kit landing page:

another iframe

This campaign appears to be using RIG exploit kit to drop the Bunitu proxy Trojan. hasherezade posted a really good write up on the Bunitu Trojan called “Revisiting The Bunitu Trojan” which was being dropped by Neutrino exploit kit via malvertising.

The payload was dropped and executed in %Temp%, which then dropped fastdrv.dll in %LocalAppData%:

See the process tree below:

Processes

The process tree show fastdrv.dll being dropped in %LocalAppData% and firewall rules being added for allowing connections.

We can see the details of the running process Rundll32:

The Trojan also modifies auto-execute functionality by setting/creating the following values in the registry:

values created and added

Modifies proxy settings be deleting values:

modifies proxy settings

Network based IOCs found during this infection include the following DNS queries:

g.driftinhishouse.com – 16.227.86.98
r.driftinhishouse.com – 150.39.215.89

As well as connections via TCP port 443:

216.58.206.78
95.211.138.72
217.23.11.115

Connections to the proxy:

As hasherezade stated in the Malwarebytes Lab article (linked above), the Bunitu proxy Trojan “may have various consequences for the infected user. Basically, it uses his/her resources and slows down the network traffic. But it may also frame him/her in some illegal activities carried by the attackers due to the fact that the infected client’s IP is the one visible from the outside.”

Network Based IOCs

78.47.1.213 – 777betx[.]info – Fobos campaign
78.47.1.213 – 213jkhgfdghj.ga – GET /bbc/index.php – Fobos campaign
188.225.27.122 – IP literal hostname used by RIG EK
16.227.86.98 – g.driftinhishouse.com – DNS queries
150.39.215.89 – r.driftinhishouse.com – DNS queries
216.58.206.78 via TCP port 443
95.211.138.72 via TCP port 443
217.23.11.115 via TCP port 443

Traffic 2
DNS queries for g.driftinhishouse.com or r.driftinhishouse.com before connections
Hashes

SHA256: 378a409004f3a66b9c2c5b0b09ff7a3062c4222cf62e739ab6d2d64730d6abe3
File name: RigEK landing page from 188.225.27.122.txt

SHA256: f523ae762b46a13832ee43b88249a1b52fb5f0b11612af2a3bfad5e59ce05679
File name: RigEK Flash exploit from 188.225.27.122.swf

SHA256: baf7a5feca95726a88b72a672d5697e7c2e57d4a6d22a02f75282726c56e0e08
File name: a6erdcmc.exe
HA Report

SHA256: 84218b9c0954375bc3f7b2ef6a79f8a4b4bf94de00afcf3ae5e109d5e66cdfcd
File name: fastdrv.dll
HA Report

Downloads

Fobos RigEK Bunitu Trojan 081617.zip
Password is “infected”

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: