Rule of the Week: Bunitu Trojan

Today in the Rule of the Week section we want to highlight a new threat hunting rule from Ariel Millahuel which helps to detect samples of Bunitu Proxy Trojan: https://tdm.socprime.com/tdm/info/3evdCZVz3mCX/_WrlonIBPeJ4_8xctGPi/?p=1

Bunitu Trojan is used for turning infected systems into a proxy for remote clients. Its malicious actions can slow down the network traffic, and adversaries often use it as a tool to reroute IP addresses of infected machines and misuse them for malicious purposes. Once a computer is infected, Bunitu Trojan opens ports for the remote connections, registers compromised machine in the database sending information about its address and open ports and then accepts connections on the exposed ports.

Adversaries can use the infected system in the organization’s network in different fraudulent schemes due to the fact that the infected machine’s IP is the one visible from the outside. Bunitu Trojan operators previously often distributed it using Exploit Kits, including the notorious RIG EK, which is still alive and endangers the security of corporate networks where it is difficult to track timely patching.

Malware authors do not often make drastic changes in this Trojan, but the used packing, composed of many layers allows Bunitu Trojan to remain undetected for a long time, so using the community rule by Ariel Millahuel will help to identify the Trojan in the organization’s network in a timely manner.

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, 

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Execution, Persistence 

Techniques: Execution through Module Load (T1129), Registry Run Keys / Startup Folder (T1060)