Malvertising Leads to RIG EK

On 9/22/17, @thlnk3r had tweeted out images of an infection chain involving some malvertising and RIG exploit kit. Below is an image of the Tweet:


One of the images seems to show a referer from, which is an popunder advertising network:


The URI used by the referer contains a base64/URL encoded string that decodes to /hxxp://mp3club[.]xyz/?q=mary-jane-girls-all-night-long?cb=6092719085137035.

It would seem that the user visited mp3club[.]xyz, which currently contains JavaScript that specifies the URL of an external script file located at

The popunder from appears to have redirected the user to itransportandlogistics[.]com, which contained the malicious iframe:

Compromised site with iframe

page source with RIG EK landing page URL

The iframe redirected to the RIG EK landing page, which dropped the malicious payload in %TEMP%:


Executing the malicious payload shows the process bilonebilo43.exe creating a hidden copy of itself at C:\Users\[Username]\AppData\Roaming\remcos\remcos.exe:

Hidden AppData Roaming

bilonebilo43.exe then sets the AutoStart registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\remcos:

Run registry

Followed by bilonebilo43.exe setting the AutoStart registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\Run\remcos:


I also found this entry in the registry (HKCU\Software\Remcos-BGXZ2U):


bilonebilo43.exe then created the file C:\Users\[Username]\AppData\Local\Temp\install.vbs:


install vbs file

bilonebilo43.exe then creates process WScript.exe and executes the .vbs:


Following the execution of remcos.exe there was attempted callback traffic to via TCP port 1122, however the server responded with a [RST, ACK]:

attempted callback

It is still unclear what this payload is.

Network Based IOCs
  • – itransportandlogistics[.]com
  • – IP literal hostname used by RIG EK
  • – Callback attempts via TCP port 1122

SHA256: 6da78abc94cfed0728a937566590bb4c2dfc683c47b5a2447157bbc471b7a4dd
File name: Landing page.txt

SHA256: 683f29ebb7e17219cc064e340a7890ae76875cab24b0aefc23d509654f62a775
File name: Flash exploit.swf

SHA256: 96c729d88f7dc0cdb71451b9b0dc52db435f6b2769b91060e336813371ef87ed
File name: o32.tmp

SHA256: 6084cf3b71c74f9dc62f66acff51a722e9948801ad300cc68d88b7a392a01610
File name: bilonebilo43.exe
Hybrid-Analysis Report

SHA256: bc45bf7b100e55e5bed86b038404c5c9771aafb682e0db037fa0bf1b175900f1
File name: install.vbs



The password is “infected”.

Until next time!

Article Link: