{
	"id": "b9816298-36ca-49b3-a8ab-afba481857ce",
	"created_at": "2026-04-06T00:06:51.328235Z",
	"updated_at": "2026-04-10T03:21:04.597578Z",
	"deleted_at": null,
	"sha1_hash": "5399e33b9bef54079a74a7cb05ac30a8810ce160",
	"title": "Rig EK via Fake EVE Online website drops Bunitu.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1714602,
	"plain_text": "Rig EK via Fake EVE Online website drops Bunitu.\r\nPublished: 2017-06-07 · Archived: 2026-04-05 20:21:29 UTC\r\nSummary:\r\nThrough RoughTed I found my old Bunitu chain. This time instead of poker or adult themes, the threat actors are\r\nusing EVE Online which is a very popular space themed MMORPG.\r\nThe fake website contained the same redirection mechanisms as previous Bunitu posts. That is it redirects to a\r\ndomain hosted on the same IP and then there is an iframe to Rig EK containing the “small” tag. I did not test the\r\nfake EVE website to determine if any phishing was involved.\r\nOddly I found strings for Space Invader within Bunitu. It will be interesting if anyone can find out why that is so.\r\nBackground Information:\r\nA few articles on Rig exploit kit and it’s evolution:\r\nhttps://www.uperesia.com/analyzing-rig-exploit-kit\r\nhttp://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html\r\nhttp://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html\r\nArticle on Bunitu Trojan:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/\r\nArticle on Rough Ted:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser/\r\nDownloads\r\n(in password protected zip)\r\n07-June-2017-Rig-Bunitu-PCAP -\u003e Pcap\r\n07-June-2017-Rig-Bunitu-CSV-\u003e CSV of traffic for IOC’s\r\n07-June-2017-Bunitu -\u003e Bunitu (exe and dll)\r\nDetails of infection chain:\r\n(click to enlarge!)\r\nhttps://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/\r\nPage 1 of 5\n\nRig EK via a fake EVE Online site drops Bunitu proxy trojan.\r\nFull Details:\r\nRoughTed is a malvertising operation known for it’s wide scope. See the MalwareBytes article above for a more\r\nin depth dive.\r\nhttps://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/\r\nPage 2 of 5\n\nThis led to a fake EVE Online website which appears to mirror the official EVE Online. Below is what the fake\r\nwebsite looks like.\r\nThe website contains an iframe to a domain hosted on the same IP address\r\nThis domain contains an iframe leading to Rig EK. As with previous Bunitu posts, this gate always contains the\r\n“small” tag.\r\nhttps://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/\r\nPage 3 of 5\n\nRig EK then dropped Bunitu proxy trojan. Bunitu opens random ports by changing firewall settings and allows the\r\nhost to become a remote proxy. Every time a client connects, Bunitu issues a DNS request. Although these did not\r\ntrigger any ET signatures I am sure they are initiated by Bunitu.\r\nUsually I would link a Virus Total link or a Hash but I will update that later.\r\nThe below shows strings associated with firewall changes and the DLL that is dropped.\r\nInteresting i found strings for Space Invaders. I’m not sure why these are present!\r\nhttps://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/\r\nPage 4 of 5\n\nSource: https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/\r\nhttps://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/"
	],
	"report_names": [
		"rig-ek-via-fake-eve-online-website-drops-bunitu"
	],
	"threat_actors": [],
	"ts_created_at": 1775434011,
	"ts_updated_at": 1775791264,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5399e33b9bef54079a74a7cb05ac30a8810ce160.pdf",
		"text": "https://archive.orkl.eu/5399e33b9bef54079a74a7cb05ac30a8810ce160.txt",
		"img": "https://archive.orkl.eu/5399e33b9bef54079a74a7cb05ac30a8810ce160.jpg"
	}
}