HookAds Campaign Delivers Bunitu Proxy Trojan via RIG EK

Originally posted at malwarebreakdown.com
Follow me on Twitter

The HookAds campaign recently became active after disappearing near the end of 2017. Last week I wrote about it coming back and delivering Bunitu proxy Trojan. This post will go over the infection chain found on 03/11/18.

HTTP traffic:

The decoy site contains some packed JavaScript:

packed javascript on decoy site


unpacked decoy site

The Base64 string shown above is decoded and the output is used in the iframe, causing the following GET request:

Request Response

The server responds with a 301 Moved Permanently pointing to the directory /ywkk/. The request for /ywkk/ returns the pre-landing page with more packed JavaScript:

packed and decoded


pre-landing page

The pre-landing page filters out unwanted traffic and displays a page showing “404 Not Found”:

firefox 404 Not Found

Victims that are redirected to the RIG EK landing page are delivered the Bunitu proxy Trojan.


SHA256: 0078ea2e505149a864958511f5a3f733482f8e92639a713807095d8f7a7e7fe8
File name: Pre-Landing Page.txt

SHA256: 6b46ba8d4a4ca55d7fc6781d3a53f5a2b8a2da682bc4b09624ed0e13779b7b46
File name: RIG EK Landing Page.txt

SHA256: 85c5f5a81f6701d597ada200dfd8338078752dc165f97efc094edf4874327c76
File name: RIG EK Flash Exploit.swf

SHA256: 94b882dedcaf288a9bda752767dc65d39cd15f5da4e5615c8fae3f962c806d41
File name: u32.tmp

SHA256: c669bccbd709080fc78d5931afc7337977cd4c5c94c4900052c665a533c53b71
File name: b43.exe
Hybrid-Analysis Report
Any Run Report

SHA256: 9dec506410d00e17a843f13f24241420b83ab815421b19277a620992ce3e63c4
File name: osetril.dll
Hybrid-Analysis Report


HTTP Traffic: – 53hshshshs1.info – GET /ywkk – HookAds Redirect – POST and GET – RIG EK IP-Literal Hostname

DNS Queries and Responses:

n.paratozix.net –
k.paratozix.net –

From HA Reports – “CrowdStrike Bunitu Proxy C2 Registration 1”:


Malware Samples.zip

Password is “infected”

Article Link: https://malwarebreakdown.com/2018/03/12/hookads-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/