Fobos Campaign Using RIG EK to Drop Bunitu Trojan

This campaign has been dubbed “Fobos” because the actors were using the registrant email address FireEye first published an article back in March 2017, that talked about Fobos in relation to RIG exploit kit called “Still Getting Served: A Look at Recent Malvertising Campaigns Involving Exploit Kits.” The article mentioned that they started tracking this campaign in the final quarter of 2016 and that the threat actors were using 302 redirects from ads to load the casino-themed Fobos domains. These Fobos domains contained iframes which redirected to RIG exploit kit.

The HTTP traffic from this infection is shown below:


777betx[.]info is one of the Fobos domains which contained an iframe pointing to 213jkhgfdghj[.]ga/bbc/index.php, another domain used by these operators:

iframe 2

213jkhgfdghj[.]ga/bbc/index.php returns a script that contains the iframe pointing to the RIG exploit kit landing page:

another iframe

This campaign appears to be using RIG exploit kit to drop the Bunitu proxy Trojan. hasherezade posted a really good write up on the Bunitu Trojan called “Revisiting The Bunitu Trojan” which was being dropped by Neutrino exploit kit via malvertising.

The payload was dropped and executed in %Temp%, which then dropped fastdrv.dll in %LocalAppData%:

See the process tree below:


The process tree show fastdrv.dll being dropped in %LocalAppData% and firewall rules being added for allowing connections.

We can see the details of the running process Rundll32:

The Trojan also modifies auto-execute functionality by setting/creating the following values in the registry:

values created and added

Modifies proxy settings be deleting values:

modifies proxy settings

Network based IOCs found during this infection include the following DNS queries: – –

As well as connections via TCP port 443:

Connections to the proxy:

As hasherezade stated in the Malwarebytes Lab article (linked above), the Bunitu proxy Trojan “may have various consequences for the infected user. Basically, it uses his/her resources and slows down the network traffic. But it may also frame him/her in some illegal activities carried by the attackers due to the fact that the infected client’s IP is the one visible from the outside.”

Network Based IOCs – 777betx[.]info – Fobos campaign – – GET /bbc/index.php – Fobos campaign – IP literal hostname used by RIG EK – – DNS queries – – DNS queries via TCP port 443 via TCP port 443 via TCP port 443

Traffic 2

DNS queries for or before connections


SHA256: 378a409004f3a66b9c2c5b0b09ff7a3062c4222cf62e739ab6d2d64730d6abe3
File name: RigEK landing page from

SHA256: f523ae762b46a13832ee43b88249a1b52fb5f0b11612af2a3bfad5e59ce05679
File name: RigEK Flash exploit from

SHA256: baf7a5feca95726a88b72a672d5697e7c2e57d4a6d22a02f75282726c56e0e08
File name: a6erdcmc.exe
HA Report

SHA256: 84218b9c0954375bc3f7b2ef6a79f8a4b4bf94de00afcf3ae5e109d5e66cdfcd
File name: fastdrv.dll
HA Report


Fobos RigEK Bunitu Trojan
Password is “infected”

Until next time!

  1. […] January 2018, Rig EK was used by at least three identifiable campaigns: Fobos, Ngay, and […]



Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: