Light Dark
June 10, 2019 By David Bisson 2 min read

A malvertising campaign is redirecting users to the RIG exploit kit, which then attempts to infect them with a new ransomware called Buran.

According to Bleeping Computer, exploit kit researcher nao_sec was among the first to spot the malvertising campaign. The operation redirects users to the RIG exploit kit, which then attempts to exploit several vulnerabilities affecting various versions of Internet Explorer. If one of those exploitation attempts is successful, the exploit kit uses a series of commands to download Buran ransomware onto the vulnerable computer.

Bleeping Computer examined a sample of Buran and found that it copied itself to and launched from %APPDATA%\microsoft\windows\ctfmon.exe upon execution. Unlike other, more recent ransomware variants, Buran doesn’t clear event logs or delete shadow volume copies to evade detection or impede recovery. Instead, it implements its encryption process and displays a ransom note to the victim once it’s finished.

Around the Block With Buran and the RIG Exploit Kit

In April 2019, researchers at ESET detected an earlier version of Buran called Vega being distributed via the Yandex.Direct online advertising network. In examining the campaign uncovered by Bleeping Computer, it appears that threat actors made a few small changes but kept Vega’s encryption routine the same in Buran.

RIG has also been busy recently. For example, researchers at Malwarebytes observed RIG spreading malware that was responsible for launching distributed denial-of-service (DDoS) attacks against Electrum bitcoin wallet servers. About a year prior, FireEye discovered that the exploit kit was distributing Grobios, a Trojan that came preloaded with evasion and anti-sandbox tactics.

How to Defend Against Malware-Bearing Exploit Kits

Security professionals can help defend their organizations against malware-bearing exploit kits like RIG by using asset discovery to unearth shadow IT and effective software patching to protect these assets against vulnerabilities. They should also leverage anti-spam software, employee awareness training, and other tools and initiatives as part of a layered defense strategy to prevent a ransomware infection.

 |  |  | 
David Bisson
Contributing Editor

More from

November 20, 2024

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

November 18, 2024

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature