HookAds Campaign Is Back And Using RIG EK to Deliver Bunitu Proxy Trojan

Originally posted at malwarebreakdown.com
Follow me on Twitter

I haven’t posted anything on the HookAds campaign since 09/17/2017. Likewise, checking malware-traffic-analysis.net shows the last write up for HookAds on 08/01/17. According to Jérôme Segura, the campaign went away in late October, 2017, and started to resurface in late February, 2018. This is evident by a recent Twitter post from MrHazumhad which showed an infection chain that led to RIG EK delivering Bunitu. I decided to poke around and see what I would get. Let’s look at the HTTP traffic:

HTTP traffic Edited

The victim’s host, who would have been redirected to a decoy site through malvertising, would then make a GET request for /click.php. Script found in page source:


click.php returned the following:

hookads redirect

After running this, we see a redirect to jhghvhbi3999[.]info GET /banners/advertising, which returns the pre-landing page:

pre-landing page

The pre-landing page, having filtered out unwanted traffic, redirects to the RIG EK landing page. RIG EK then delivered Bunitu proxy Trojan. Hasherezade posted a really good write up on the Bunitu Trojan called “Revisiting The Bunitu Trojan”.

The malware payload delivered to %Temp%:


We then see b38.exe detonated (PID: 1856) and setting the following registry keys:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyumnixwoImpersonate
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyumnixwoAsynchronous
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyumnixwoMaxWait
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyumnixwoDllName
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyumnixwoStartup

winlogon umnixwo

b38.exe (PID: 1856) creates umnixwo.dll in %LocalAppData%:


Process b38.exe (PID: 1856) then sets autostart registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunumnixwo:


Process b38.exe (PID: 1856) sets registry key HKLMSystemCurrentControlSetservicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsListC:Windowssystem32rundll32.exe to try and bypass the firewall via the Authorized Applications list.

authorized applications

Process b38.exe (PID: 1856) sets registry key HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapUNCAsIntranet and AutoDetect


Process b38.exe (PID: 1856) creates process rundll32.exe (PID: 3212)

Process b38.exe (PID: 1856) creates process netsh.exe (PID: 3052)

Process rundll32.exe (PID: 3212) loads file C:Users[username]AppDataLocalumnixwo.dll as module

Process b38.exe (PID: 1856) creates process netsh.exe (PID: 3568)

Process svchost.exe sets registry key HKLMSystemCurrentControlSetservicesSharedAccessParametersFirewallPolicyFirewallRules to allow traffic inbound and outbound:

Firewall Rules


After process netsh.exe (PID: 3568 and 3052) and b38.exe (PID: 1856) kills its own process we see rundll32.exe start sending TCP traffic to over port 443.

Network-Based IOCs

HTTP Traffic: – jhghvhbi3999.info GET – /banners/advertising – Pre-Landing Page – GET and POST – RIG EK IP-Literal Hostname

DNS Queries and Responses:

n.paratozix.net –
k.paratozix.net –

Bunitu Proxy C2 Registration 1:


SHA256: 707cf01d533ca6a55a4f5af731fadc0546b0c0eb2a00bbaa72a9b592e35f14cb
File name: pre-landing page.txt

SHA256: b26af34ef2e357987a98b1142cf37324f15453b58f876634921fce4737f610c9
File name: RIG EK landing page.txt

SHA256: 22dc4e02126eceafbab0fa9c1dc4d0b60dd83e92effc413bac23b59e01b626fe
File name: RIG EK Flash exploit.swf

SHA256: ea682caa37257a53a7ab0787cfb67859ca9dcf1bf0488e5cb19759edbfcb79b6
File name: b38.exe
Hybrid-Analysis Report

SHA256: 4e7c45d75fae01aaa499917135781c4fde74515679a6c8d12bdea6db3548c85c
File name: umnixwo.dll
Hybrid-Analysis Report


Malware Samples.zip

password is “infected”

  1. […] after disappearing near the end of 2017. Last week I wrote about it coming back and delivering Bunitu proxy Trojan. This post will go over the infection chain found on […]



Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: