Fobos Campaign Uses HookAds Template and Delivers Bunitu Proxy Trojan via RIG EK

Originally posted at
Follow me on Twitter

At closer inspection, it looks like Fobos is redirecting to the HookAds template (thanks Jerome for double-checking that for me). The decoy site that had redirected to HookAds on 03/07/18, shown HERE, is the same code found in this infection chain on 03/11/18.

HTTP traffic:

Fiddler Traffic


The decoy site contains some packed JavaScript:

packed javascript on decoy site


unpacked decoy site

The Base64 string shown above is decoded and the output is used in the iframe, causing the following GET request:

Request Response

The server responds with a 301 Moved Permanently pointing to the directory /ywkk/. The request for /ywkk/ returns the pre-landing page with more packed JavaScript:

packed and decoded


pre-landing page

The pre-landing page filters out unwanted traffic and displays a page showing “404 Not Found”:

firefox 404 Not Found

Victims that are redirected to the RIG EK landing page are delivered the Bunitu proxy Trojan.


SHA256: 0078ea2e505149a864958511f5a3f733482f8e92639a713807095d8f7a7e7fe8
File name: Pre-Landing Page.txt

SHA256: 6b46ba8d4a4ca55d7fc6781d3a53f5a2b8a2da682bc4b09624ed0e13779b7b46
File name: RIG EK Landing Page.txt

SHA256: 85c5f5a81f6701d597ada200dfd8338078752dc165f97efc094edf4874327c76
File name: RIG EK Flash Exploit.swf

SHA256: 94b882dedcaf288a9bda752767dc65d39cd15f5da4e5615c8fae3f962c806d41
File name: u32.tmp

SHA256: c669bccbd709080fc78d5931afc7337977cd4c5c94c4900052c665a533c53b71
File name: b43.exe
Hybrid-Analysis Report
Any Run Report

SHA256: 9dec506410d00e17a843f13f24241420b83ab815421b19277a620992ce3e63c4
File name: osetril.dll
Hybrid-Analysis Report


HTTP Traffic: – – GET /ywkk – Redirect – – GET /ywkk/ – Pre-Landing Page – POST and GET – RIG EK IP-Literal Hostname

DNS Queries and Responses: – –

From HA Reports – “CrowdStrike Bunitu Proxy C2 Registration 1”:



Password is “infected”

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: