Today in the Rule of the Week section we want to highlight a new threat hunting rule from Ariel Millahuel which helps to detect samples of Bunitu Proxy Trojan:

Bunitu Trojan is used for turning infected systems into a proxy for remote clients. Its malicious actions can slow down the network traffic, and adversaries often use it as a tool to reroute IP addresses of infected machines and misuse them for malicious purposes. Once a computer is infected, Bunitu Trojan opens ports for the remote connections, registers compromised machine in the database sending information about its address and open ports and then accepts connections on the exposed ports.

Adversaries can use the infected system in the organization’s network in different fraudulent schemes due to the fact that the infected machine’s IP is the one visible from the outside. Bunitu Trojan operators previously often distributed it using Exploit Kits, including the notorious RIG EK, which is still alive and endangers the security of corporate networks where it is difficult to track timely patching.

Malware authors do not often make drastic changes in this Trojan, but the used packing, composed of many layers allows Bunitu Trojan to remain undetected for a long time, so using the community rule by Ariel Millahuel will help to identify the Trojan in the organization’s network in a timely manner.

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, 

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint



Tactics: Execution, Persistence 

Techniques: Execution through Module Load (T1129), Registry Run Keys / Startup Folder (T1060)

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
Blog, Latest Threats — 2 min read
Eugene Tkachenko