Malvertising Leads to HookAds Campaign Which Redirects to RIG EK at RIG EK Drops Dreambot.

I captured another malvertising chain that included the HookAds campaign. To read more about the HookAds campaign click HERE. You can also find all my HookAds related post HERE.

Below is an image of a 302 redirect that led to the HookAds decoy XXX website:

302 redirect edited

Decoy XXX website is being hidden

The referer for the decoy XXX website, according to the TCP stream, was The server returned a 302 Moved Temporarily and included the Location of the decoy XXX website.

The decoy page located at /?adsterra_us contains a script for the relative path found on the domain at /popunder.php:

script on decoy site edited

The page returns the following script:

script edited

Base64 encoded string is underlined in red.

Found in the script is a base64 encoded string that decodes to hxxp://boultrated[.]info/banners/bbwjobs.

The GET request for /bbwjobs at boultrated[.]info returns the RIG exploit kit pre-landing page:

pre-landing page edited

The pre-landing page contains the location of the RIG EK landing page, which is underlined in red.

The pre-landing page will filter out and redirect the appropriate connections to the RIG exploit kit landing page. RIG exploit kit ended up dropping Dreambot on my host, which is consistent with the HookAds campaign.

Below is an image of the HTTP GET and POST requests from the infection chain being filtered in Wireshark:

HTTP traffic edited



  • – – GET /banners/bbwjobs – Fake ad server
  • – RIG EK
  • – Dreambot C2 traffic (Tor client at /tor/
  • – – External IP lookup

DNS Queries:

  • aeeeeeeeeeeeeeeeeeeeeeeeeeeeva.onion

dns traffic


SHA256: 46630f9f89794376d37715606fb333017106749532f444517efb6ebcc4be8652
File name: popunder.php.2.txt

SHA256: 1c7fd09b6dc9bb0a817d04569705e68e2140c1de6fdc1d091dda9577f2ee2d39
File name: bbwjobs.txt

SHA256: 15536875d8a40b7f8541475d68017a795318fed86f682e1635c89359dd89cc95
File name: RigEK landing page from

SHA256: 6f2be67a2bc9f1a61577feb5ab364c014b89f1cfb7f29461e8439de57a081b80
File name: RigEK Flash exploit from

SHA256: 9970412366402809ba2089cb8fc23d92199d13226b67f0302b1fa87adb138352
File name: o32.tmp

SHA256: b1e2e9182211e866dce3cfc7a62641b7a2bff194cb94d25e98064c524cc32ad6
File name: 4aqdak84.exe


HKCUSoftwareAppDataLowSoftwareMicrosoft {guid}



The password for the files is “infected”.

Until next time!

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: