Light Dark
June 10, 2019 By David Bisson 2 min read

A malvertising campaign is redirecting users to the RIG exploit kit, which then attempts to infect them with a new ransomware called Buran.

According to Bleeping Computer, exploit kit researcher nao_sec was among the first to spot the malvertising campaign. The operation redirects users to the RIG exploit kit, which then attempts to exploit several vulnerabilities affecting various versions of Internet Explorer. If one of those exploitation attempts is successful, the exploit kit uses a series of commands to download Buran ransomware onto the vulnerable computer.

Bleeping Computer examined a sample of Buran and found that it copied itself to and launched from %APPDATA%\microsoft\windows\ctfmon.exe upon execution. Unlike other, more recent ransomware variants, Buran doesn’t clear event logs or delete shadow volume copies to evade detection or impede recovery. Instead, it implements its encryption process and displays a ransom note to the victim once it’s finished.

Around the Block With Buran and the RIG Exploit Kit

In April 2019, researchers at ESET detected an earlier version of Buran called Vega being distributed via the Yandex.Direct online advertising network. In examining the campaign uncovered by Bleeping Computer, it appears that threat actors made a few small changes but kept Vega’s encryption routine the same in Buran.

RIG has also been busy recently. For example, researchers at Malwarebytes observed RIG spreading malware that was responsible for launching distributed denial-of-service (DDoS) attacks against Electrum bitcoin wallet servers. About a year prior, FireEye discovered that the exploit kit was distributing Grobios, a Trojan that came preloaded with evasion and anti-sandbox tactics.

How to Defend Against Malware-Bearing Exploit Kits

Security professionals can help defend their organizations against malware-bearing exploit kits like RIG by using asset discovery to unearth shadow IT and effective software patching to protect these assets against vulnerabilities. They should also leverage anti-spam software, employee awareness training, and other tools and initiatives as part of a layered defense strategy to prevent a ransomware infection.

 |  |  | 
David Bisson
Contributing Editor

More from

July 26, 2024

test img

8 min read - What is Lorem Ipsum? Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and…

July 26, 2024

img test

7 min read - test imgWhat is Lorem Ipsum? Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature