Fobos Malvertising Campaign Delivers Bunitu Proxy Trojan via RIG EK

Originally posted at
Follow me on Twitter

Traffic from 03/21/18:


The first part of the redirection chain shown above would be from the Fobos decoy site.

The decoy site contains the following Base64 encoded string:

packed code on decoy site

The decoded string on the decoy site points to the next step in the redirection chain, the pre-landing page:

pre-landing page

Unpacked and beautified:

After the pre-landing page comes the POST request to the RIG EK landing page at Finally, after successfully exploiting my system, the Fobos campaign used RIG EK to deliver the Bunitu proxy Trojan. Below are some details about the infection.


File System

Payload downloaded to %Temp%:


Process b13.exe (PID: 2616) created file zervuxx.dll in %LocalAppData%:


Processes Created

  • Command line:
    “C:WindowsSystem32netsh.exe” advfirewall firewall add rule name=”Rundll32″ dir=out action=allow protocol=any program=”C:Windowssystem32rundll32.exe”
    Parent PID: 2616
    Child PID: 576
  • Command line:
    “C:WindowsSystem32netsh.exe” advfirewall firewall add rule name=”Rundll32″ dir=in action=allow protocol=any program=”C:Windowssystem32rundll32.exe”
    Parent PID: 2616
    Child PID: 876
  • Command line:
    “C:WindowsSystem32rundll32.exe” “C:Users[User]AppDataLocalzervuxx.dll”,zervuxx C:Users[User]AppDataLocalTempb13.exe
    Parent PID: 2616
    Child PID: 3728

process properties


Keys created:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyzervuxx
  • HKLMSystemCurrentControlSetservicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList

Values set:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyzervuxxImpersonate
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyzervuxxAsynchronous
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyzervuxxMaxWait
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyzervuxxDllName
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyzervuxxStartup

Winlogon Notify zervuxx

  • HKLMSystemCurrentControlSetservicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsListC:Windowssystem32rundll32.exe

Authorized Applications

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRunzervuxx
Registry Run

Set by b13.exe (PID: 2616)

  • HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapUNCAsIntranet
  • HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapAutoDetect

Internet Settings ZoneMap


Mutex created:



Queries and responses: -> ->

HTTP Traffic – Pre-Infection

  • – GET /av2sdfy/index.php – Fobos
  • – POST and GET – RIG EK

Hashes and Reports

SHA256: ab0987156a279050e632aa5810d2d2355bf65c611d8b563bd73ef3392948bb3a
File name: Pre-Landing Page.txt

SHA256: a36204a8c830f420475a7e8b3dde7f29d80e6dffb15facf77f6b4fe8f78d7ce6
File name: RigEK Landing Page.txt

SHA256: 971c424d839bed4037a62f85791beb559f43e77d67a83590274478bdcf0c4563
File name: RigEK Flash Exploit.swf

SHA256: 8e8ac821d17dbbbecf0afabf93b1f8fd35a333215f363acbaa826851f7ad4286
File name: b13.exe

SHA256: e7ac8ae86345db9a6087d4c3e99b8f8cd52ee0bf1ad626866af5452434c87322
File name: zervuxx.dll



Password is “infected”

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: