HookAds Campaign Is Back And Using RIG EK to Deliver Bunitu Proxy Trojan

Originally posted at malwarebreakdown.com
Follow me on Twitter

I haven’t posted anything on the HookAds campaign since 09/17/2017. Likewise, checking malware-traffic-analysis.net shows the last write up for HookAds on 08/01/17. According to Jérôme Segura, the campaign went away in late October, 2017, and started to resurface in late February, 2018. This is evident by a recent Twitter post from MrHazumhad which showed an infection chain that led to RIG EK delivering Bunitu. I decided to poke around and see what I would get. Let’s look at the HTTP traffic:

HTTP traffic Edited

The victim’s host, who would have been redirected to a decoy site through malvertising, would then make a GET request for /click.php. Script found in page source:

<script type=”text/javascript” src=”/click.php”></script>

click.php returned the following:

hookads redirect

After running this, we see a redirect to jhghvhbi3999[.]info GET /banners/advertising, which returns the pre-landing page:

pre-landing page

The pre-landing page, having filtered out unwanted traffic, redirects to the RIG EK landing page. RIG EK then delivered Bunitu proxy Trojan. Hasherezade posted a really good write up on the Bunitu Trojan called “Revisiting The Bunitu Trojan”.

The malware payload delivered to %Temp%:


We then see b38.exe detonated (PID: 1856) and setting the following registry keys:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\umnixwo\Impersonate
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\umnixwo\Asynchronous
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\umnixwo\MaxWait
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\umnixwo\DllName
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\umnixwo\Startup

winlogon umnixwo

b38.exe (PID: 1856) creates umnixwo.dll in %LocalAppData%:


Process b38.exe (PID: 1856) then sets autostart registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\umnixwo:


Process b38.exe (PID: 1856) sets registry key HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\rundll32.exe to try and bypass the firewall via the Authorized Applications list.

authorized applications

Process b38.exe (PID: 1856) sets registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet and \AutoDetect


Process b38.exe (PID: 1856) creates process rundll32.exe (PID: 3212)

Process b38.exe (PID: 1856) creates process netsh.exe (PID: 3052)

Process rundll32.exe (PID: 3212) loads file C:\Users\[username]\AppData\Local\umnixwo.dll as module

Process b38.exe (PID: 1856) creates process netsh.exe (PID: 3568)

Process svchost.exe sets registry key HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\ to allow traffic inbound and outbound:

Firewall Rules


After process netsh.exe (PID: 3568 and 3052) and b38.exe (PID: 1856) kills its own process we see rundll32.exe start sending TCP traffic to over port 443.

Network-Based IOCs

HTTP Traffic: – jhghvhbi3999.info GET – /banners/advertising – Pre-Landing Page – GET and POST – RIG EK IP-Literal Hostname

DNS Queries and Responses:

n.paratozix.net –
k.paratozix.net –

Bunitu Proxy C2 Registration 1:


SHA256: 707cf01d533ca6a55a4f5af731fadc0546b0c0eb2a00bbaa72a9b592e35f14cb
File name: pre-landing page.txt

SHA256: b26af34ef2e357987a98b1142cf37324f15453b58f876634921fce4737f610c9
File name: RIG EK landing page.txt

SHA256: 22dc4e02126eceafbab0fa9c1dc4d0b60dd83e92effc413bac23b59e01b626fe
File name: RIG EK Flash exploit.swf

SHA256: ea682caa37257a53a7ab0787cfb67859ca9dcf1bf0488e5cb19759edbfcb79b6
File name: b38.exe
Hybrid-Analysis Report

SHA256: 4e7c45d75fae01aaa499917135781c4fde74515679a6c8d12bdea6db3548c85c
File name: umnixwo.dll
Hybrid-Analysis Report


Malware Samples.zip

password is “infected”


Just a normal person who spends their free time infecting systems with malware.

One thought on “HookAds Campaign Is Back And Using RIG EK to Deliver Bunitu Proxy Trojan

Leave a Comment

%d bloggers like this: