Light Dark
June 10, 2019 By David Bisson 2 min read

A malvertising campaign is redirecting users to the RIG exploit kit, which then attempts to infect them with a new ransomware called Buran.

According to Bleeping Computer, exploit kit researcher nao_sec was among the first to spot the malvertising campaign. The operation redirects users to the RIG exploit kit, which then attempts to exploit several vulnerabilities affecting various versions of Internet Explorer. If one of those exploitation attempts is successful, the exploit kit uses a series of commands to download Buran ransomware onto the vulnerable computer.

Bleeping Computer examined a sample of Buran and found that it copied itself to and launched from %APPDATA%\microsoft\windows\ctfmon.exe upon execution. Unlike other, more recent ransomware variants, Buran doesn’t clear event logs or delete shadow volume copies to evade detection or impede recovery. Instead, it implements its encryption process and displays a ransom note to the victim once it’s finished.

Around the Block With Buran and the RIG Exploit Kit

In April 2019, researchers at ESET detected an earlier version of Buran called Vega being distributed via the Yandex.Direct online advertising network. In examining the campaign uncovered by Bleeping Computer, it appears that threat actors made a few small changes but kept Vega’s encryption routine the same in Buran.

RIG has also been busy recently. For example, researchers at Malwarebytes observed RIG spreading malware that was responsible for launching distributed denial-of-service (DDoS) attacks against Electrum bitcoin wallet servers. About a year prior, FireEye discovered that the exploit kit was distributing Grobios, a Trojan that came preloaded with evasion and anti-sandbox tactics.

How to Defend Against Malware-Bearing Exploit Kits

Security professionals can help defend their organizations against malware-bearing exploit kits like RIG by using asset discovery to unearth shadow IT and effective software patching to protect these assets against vulnerabilities. They should also leverage anti-spam software, employee awareness training, and other tools and initiatives as part of a layered defense strategy to prevent a ransomware infection.

 |  |  | 
David Bisson
Contributing Editor

More from

April 25, 2024

NIST’s role in the global tech race against AI

4 min read - Last year, the United States Secretary of Commerce announced that the National Institute of Standards and Technology (NIST) has been put in charge of launching a new public working group on artificial intelligence (AI) that will build on the success of the NIST AI Risk Management Framework to address this rapidly advancing technology.However, recent budget cuts at NIST, along with a lack of strategy implementation, have called into question the agency’s ability to lead this critical effort. Ultimately, the success…

April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 23, 2024

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature