June 10, 2019 By David Bisson 2 min read

A malvertising campaign is redirecting users to the RIG exploit kit, which then attempts to infect them with a new ransomware called Buran.

According to Bleeping Computer, exploit kit researcher nao_sec was among the first to spot the malvertising campaign. The operation redirects users to the RIG exploit kit, which then attempts to exploit several vulnerabilities affecting various versions of Internet Explorer. If one of those exploitation attempts is successful, the exploit kit uses a series of commands to download Buran ransomware onto the vulnerable computer.

Bleeping Computer examined a sample of Buran and found that it copied itself to and launched from %APPDATA%\microsoft\windows\ctfmon.exe upon execution. Unlike other, more recent ransomware variants, Buran doesn’t clear event logs or delete shadow volume copies to evade detection or impede recovery. Instead, it implements its encryption process and displays a ransom note to the victim once it’s finished.

Around the Block With Buran and the RIG Exploit Kit

In April 2019, researchers at ESET detected an earlier version of Buran called Vega being distributed via the Yandex.Direct online advertising network. In examining the campaign uncovered by Bleeping Computer, it appears that threat actors made a few small changes but kept Vega’s encryption routine the same in Buran.

RIG has also been busy recently. For example, researchers at Malwarebytes observed RIG spreading malware that was responsible for launching distributed denial-of-service (DDoS) attacks against Electrum bitcoin wallet servers. About a year prior, FireEye discovered that the exploit kit was distributing Grobios, a Trojan that came preloaded with evasion and anti-sandbox tactics.

How to Defend Against Malware-Bearing Exploit Kits

Security professionals can help defend their organizations against malware-bearing exploit kits like RIG by using asset discovery to unearth shadow IT and effective software patching to protect these assets against vulnerabilities. They should also leverage anti-spam software, employee awareness training, and other tools and initiatives as part of a layered defense strategy to prevent a ransomware infection.

More from

How to calculate your AI-powered cybersecurity’s ROI

4 min read - Imagine this scenario: A sophisticated, malicious phishing campaign targets a large financial institution. The attackers use emails generated by artificial intelligence (AI) that closely mimic the company's internal communications. The emails contain malicious links designed to steal employee credentials, which the attackers could use to gain access to company assets and data for unknown purposes.The organization's AI-powered cybersecurity solution, which continuously monitors network traffic and user behavior, detects several anomalies associated with the attack, blocks access to the suspicious domains…

Being a good CLR host – Modernizing offensive .NET tradecraft

14 min read - The modern red team is defined by its ability to compromise endpoints and take actions to complete objectives. To achieve the former, many teams implement their own custom command-and-control (C2) or use an open-source option. For the latter, there is a constant stream of post-exploitation tooling being released that takes advantage of various features in Windows, Active Directory and third-party applications. The execution mechanism for this tooling has, for the last several years, relied heavily on executing .NET assemblies in…

The current state of ransomware: Weaponizing disclosure rules and more

4 min read - As we near the end of 2024, ransomware remains a dominant and evolving threat against any organization. Cyber criminals are more sophisticated and creative than ever. They integrate new technologies, leverage geopolitical tensions and even use legal regulations to their advantage.What once seemed like a disruptive but relatively straightforward crime has evolved into a multi-layered, global challenge that continues to threaten businesses and governments alike.Let’s take a look at the state of ransomware today. We’ll focus on how cyber criminals…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today