Malvertising Campaign Leading to RIG Exploit Kit Dropping Ramnit Banking Trojan

On April 5th, 2017, the Twitter user  sent a message to Brad and myself about a malvertising chain using to redirect hosts to RIG exploit kit. Here is the Tweet:


I decided to investigate the traffic from his tweet and proceeded to use the php file hosted at as my referer. Here is the traffic from my run:


This tactic proved to be successful as I was redirected from the server to a RIG exploit kit landing page being hosted at the subdomain (

As you can see from the TCP stream the GET request for flow339.php returned an iframe containing a URL for a RIG exploit kit landing page. It also contained the following string at the very bottom:

If you would like to make a link or bookmark to this page, the URL is: hxxp://

More on this string later….

The host is then sent the Flash exploit and the malware payload. The malware payload was dropped and executed in %TEMP%. Below is an image of multiple malware payloads (I received numerous identical payloads as the page refreshed itself numerous times):


The malware copies itself to AppData and creates some .log files:

It also creates a .log file in ProgramData (64 characters):

We also see it modify and set some values in the registry:

Access type: "SETVAL"; Path: HKCUSoftwareAppDataLow[GUID]"; Key "Client"; Value: [GUID]

Access type: "SETVAL"; Path: "HKCUSoftwareMicrosoftWindowsCurrentVersionRun"; Key: "LbdUpnlo"; Value: "%LOCALAPPDATA%duoibyaalbdupnlo.exe"

Access type: "SETVAL"; Path: "HKCUSoftwareMicrosoftWindowsCurrentVersionRun"; Key: "UwuAwwru"; Value: "%TEMP%uwuawwru.exe"

Access type: "SETVAL"; Path: "HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon"; Key: "Userinit"; Value: "%WINDIR%system32userinit.exe,%TEMP%uwuawwru.exe,%LOCALAPPDATA%duoibyaalbdupnlo.exe"

It also writes to a start menu file:

%APPDATA%RoamingMicrosoftWindowsStart MenuProgramsStartup

Processes from the Hybrid-Analysis report:


The various file system and registry IOCs confirmed that the malware payload was Ramnit banking Trojan.

I then decided to do some additional digging to see if I could figure out what campaign this was coming from. That is when I found an article written on March 21st, 2017, by  over at Malwarebytes Labs. The article was entitled “Canada and the U.K. hit by Ramnit Trojan in new malvertising campaign” and in the article Jérôme talked about malvertising activity originating from various adult websites.

Jérôme also mentioned that their honeypot caught Ramnit payloads coming from this malvertising campaign. An interesting note about their investigation is that they documented TDSs (Traffic Distribution System) being used in this malvertising campaign.

Below is an image from Jérôme’s post on March 21st, 2017:

Malwarebytes post from Jerome

Figure 2

You’ll notice that their Fiddler session captures the same exact string that I discussed earlier in the post. For example, you’ll see “If you would like to make a link or bookmark to this page, the URL is: hxxp://” at the bottom of the image. The traffic and payload (Ramnit) seems to match the campaign that they discovered.

BroadAnalysis had also sent me a DM with a link to an article entitled “Seamless Campaign Delivers Ramnit via Rig EK.” The article is written by Andrea Scarfo, , and Matt Foley over at the Cisco Umbrella blog. They’re calling it the “Seamless” campaign due to that word being used in the response from the gate (see Figure 1 and Figure 2). Just like with Malwarebytes they too found that this campaign was heavily targeting Canadian hosts and dropping Ramnit banking malware as its payload.

Further reconnaissance showed that there were numerous open ports on

21/TCP – Open – FTP: ProFTPD
22/TCP – Open – SSH: OpenSSH 5.3 (protocol 2.0)
25/TCP – Open – SMTP: Exim SMTPD 4.89
53/TCP –  Open – DNS
80/TCP – Open – HTTP: nginx 1.10.2
110/TCP – Open – POP3: Dovecot POP3D
143/TCP – Open – IMAP: Dovecot IMAPD
465/TCP  Open – SSL/SMTP: Exim SMTPD 4.89
587/TCP – Open – SMTP: Exim SMTPD 4.89
993/TCP – Open – SSL/IMAP: Dovecot IMAPD
995/TCP – Open – SSL/POP3: Dovecot POP3D
1500/TCP – Open – ISPmanager
3306/TCP – open – MySQL

It looks as though they’re using ISPManager to manage the web server:

ISP Manager Login

ISPManager provides a feature set for managing websites, creating users, handling domains, emails, databases, etc.

Post-Infection Traffic

Upon execution of the malware payload the host made numerous DNS queries:

Domain Address Country Germany Russian Federation United States Germany Russian Federation

The malware then used the following Port/Protocol to contact these hosts:

IP Address Port Protocol Domain Country 443 TCP Russian Federation 443 TCP United States 443 TCP Germany 443 TCP Russian Federation

These events triggered the following rules on my IDS:

  • ET TROJAN Win32/Ramnit Checkin
  • MALWARE-CNC Win.Trojan.Ramnit variant outbound detected

I then found my infected host making A LOT of ARP requests to IP addresses in its subnet. This traffic was followed by even more connection requests to host in the private address spaces via TCP port 110 (POP3). The POP3 request caused the following ET rule to trigger:

  • ET SCAN Rapid POP3 Connections – Possible Brute Force Attack

There was also another ET rule that triggered:

  • ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection

You will find the hashes for the files below, as well as the malicious artifacts which are zipped and password protected with “infected”. The malware samples can be downloaded from the Hybrid-Analysis reports.


SHA256: f5be3eb33c9b6759f3609da0240920184154907f6950e9d885bdf1fd96340e15
File name: RigEK Flash Exploit.swf

SHA256: 702d95d12d03be87d49d15714d221c7019ff48bc96a60b03e893bb55849ff272
File name: o32.tmp

SHA256: 3245c8670600513626941cca7a8ceb56acdda3905524100a2815ee8c9d358c1c
File name: ldzquze7.exe
Hybrid-Analysis Report

SHA256: c823183b49148e7e60d84142ccefc8fe16fe44bec94d5eabdbd623c65cdaff8c
File name: ldzquze7.exe (Ramnit)
Hybrid-Analysis Report

Malicious Artifacts (Flash Exploit and Landing Page)


Until next time!

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: