Rulan Campaign Redirects to RIG EK at and Drops a Miner

Watcha know about Mining!?


Today I was doing some digging (no pun intended) into numerous domains used during recent malvertising redirection chains. These domains appear to be related to a campaign dubbed “Rulan”.

Let’s start off with showing the redirection chain:

1 edited2 edited3 edited4 edited

As you can see from the TCP streams there are a lot of 302 redirects leading to the RIG EK landing page, which is being hosted at This campaign has been known to drop the banking Trojan called Chthonic but this time it appears to have dropped a Miner.

The payload is dropped in %Temp% and copied to/run from C:UsersUserAppDataRoamingMicrosoftDirectX:

Callback traffic is found going to via TCP port 21025:

Contacted host

Here is another view:


So, we can see instructions for via TCP port 3333 as well as the wallet address:


Status of the mining server:

Mining server status (

I’m starting to see a little bit of trend here with more campaigns dropping Miners. For example, on August 3rd I got XMRig CoinMiner from a fake Flash player update page. Read more about that HERE.


Needs more Zoolander memes!

It would be worth an investigation if you start to see this type of traffic on your corporate networks.

Network Based Traffic
  • –
  • – RIG EK IP-literal hostname
  • via TCP port 21025
  • via TCP port 3333 (low end hardware), 5555 (mid range hardware, and 7777 (high end hardware)



SHA256: b48470b9d183877fc960e3bee2e61ad9d938f0d480d290864128838fa7727145
File name: RigEK landing page from

SHA256: 358605c9305679ee4070c092d070bacbb8981661445fd115596c646f8ab58a05
File name: RigEK Flash exploit from

SHA256: c951cb3ccbc129d422f5cb3fa21491b208870b2f2e2650fa70739106d6755267
File name: o32.tmp

SHA256: 646d3a72332ef548fd8006f3fd798e6276472721127231a6fc207630e2528380
File name: ukweehmi.exe
Hybrid-Analysis Report


Malicious Artifacts from

Until next time!

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: