Seamless Malvertising Campaign Drops Ramnit from RIG EK at

Shout-out to  for giving me the referer!


Using the referer qstoo.voluumtrk[.]com redirected my host to the Seamless gate at

redirect 1


Seamless gate

The Seamless gate returns a “302 Found” that points to the RIG exploit kit landing page at


The Ramnit malware payload was dropped in %Temp% and then copied to %AppData% in the folder mykemfpi:


I have received multiple payloads because I did multiple runs. All the payloads were Ramnit.


Numerous log files are written, including one that is hidden (44a0e233f.log).

AppData 2

There is also a log file containing a 64 character alphanumeric string written to ProgramData:


Writes to a start menu file:

Registry entries:






HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon

Below is an image of the network traffic filtered in Wireshark:


You can see the DNS request for at Post-infection traffic to via TCP port 443:

post infection

Another obvious sign of a Ramnit infection is that the host will be making an obscene amount of ARP and POP3 requests. The POP3 requests caused the following ET rule to trigger on my IDS:

  • ET SCAN Rapid POP3 Connections – Possible Brute Force Attack

There was also another ET rule that triggered:

  • ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection


SHA256: 238e6aa527f414d630198ae8534555eb5994446d60a0982e0371e4bef4813f1b
File name: RIG EK landing page.txt

SHA256: 4a768366efed47b2fcda2afdfa47d4959a06de7ec30a8b2077940a4be3269ab9
File name: RIG EK Flash exploit.swf

SHA256: 721796597134733a1efcada14152d960ce52404af1f93f4ac1162f59e443e6a7
File name: opn23cus.exe
Hybrid-Analysis Report

SHA256: 6c114c8669a18aec0282d7fdf19d06ee0eb196fc9643b1072edbfe2b30a653f2
File name: opn23cus.exe
Hybrid-Analysis Report

Files (password is “infected”):

Landing Page and Flash

The malware payloads can be downloaded from either VirusTotal or the Hybrid-Analysis reports located in the Hashes section above.

Until next time!

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: