Fake ad infrastructure. server returned RIGs pre-filter page which contained the URL for the landing page. The User-Agent string used by the malware is Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64) Tor traffic via TCP ports 9001 and 443. The bot creates a registry entry in HKCUSoftware.AppData.Users[User]AppDataRoamingefsshellDeviprov.exe.”]
Source: https://malwarebreakdown.wordpress.com/2017/03/06/rig-ek-at-92-53-127-21-drops-dreambot/