A malvertising campaign is redirecting users to the RIG exploit kit, which then attempts to infect them with a new ransomware called Buran.

According to Bleeping Computer, exploit kit researcher nao_sec was among the first to spot the malvertising campaign. The operation redirects users to the RIG exploit kit, which then attempts to exploit several vulnerabilities affecting various versions of Internet Explorer. If one of those exploitation attempts is successful, the exploit kit uses a series of commands to download Buran ransomware onto the vulnerable computer.

Bleeping Computer examined a sample of Buran and found that it copied itself to and launched from %APPDATA%\microsoft\windows\ctfmon.exe upon execution. Unlike other, more recent ransomware variants, Buran doesn’t clear event logs or delete shadow volume copies to evade detection or impede recovery. Instead, it implements its encryption process and displays a ransom note to the victim once it’s finished.

Around the Block With Buran and the RIG Exploit Kit

In April 2019, researchers at ESET detected an earlier version of Buran called Vega being distributed via the Yandex.Direct online advertising network. In examining the campaign uncovered by Bleeping Computer, it appears that threat actors made a few small changes but kept Vega’s encryption routine the same in Buran.

RIG has also been busy recently. For example, researchers at Malwarebytes observed RIG spreading malware that was responsible for launching distributed denial-of-service (DDoS) attacks against Electrum bitcoin wallet servers. About a year prior, FireEye discovered that the exploit kit was distributing Grobios, a Trojan that came preloaded with evasion and anti-sandbox tactics.

How to Defend Against Malware-Bearing Exploit Kits

Security professionals can help defend their organizations against malware-bearing exploit kits like RIG by using asset discovery to unearth shadow IT and effective software patching to protect these assets against vulnerabilities. They should also leverage anti-spam software, employee awareness training, and other tools and initiatives as part of a layered defense strategy to prevent a ransomware infection.

More from

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…