Seamless Campaign Leads to RIG EK at 92.222.48.83 and Drops Ramnit

malwarebreakdown on June 23, 2017

The infection vector for this Ramnit compromise was RIG exploit kit. The user was redirected to the exploit kit via a malvertising chain using the Seamless campaign. The Seamless campaign has been dropping Ramnit for awhile now. You can read more about the Seamless campaign HERE.

The referer used for this infection was the Seamless gate at 194.58.40[.]252/signup1[.]php. The response from the gate included the following iframe:

iframe

The iframe contained the URL for the RIG exploit kit landing page.

Below is an image of some network traffic being filtered in Wireshark:

traffic 1

HTTP and DNS traffic. DNS queries for remote C&C domains generated by DGA.

Payload dropped in %Temp%, as well as additional copies:

Temp

Another copy of the malware is placed in newly created subfolder located in %AppData%:

AppDat 2

Artifacts relating to the modules are found in %AppData%:

AppData 1

Additional artifact located in ProgramData:

programdata

Writes to a start menu file:

startup

Registry:

reg1 edited

HKCUSoftwareAppDataLow {guid}
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

Additional Network Based IOCs

Network Traffic:

  • 178.21.10.156 – bestcasinomarket.info – GET /usa
  • 194.58.40.252 – GET /signup1.php – Seamless gate
  • 92.222.48.83 – RIG EK
  • 142.4.204.195 – fkbpvfnbhfwedagussg.com – Ramnit C2 traffic via port 443
  • 62.173.141.41 – gssbjwhoose.com – Ramnit C2 traffic via port 443
C2 traffic to the valid generated domains.

Hashes:

SHA256: c18a3c9bb7dd8548b782c156a30fcb5fb642a0562c52544f4b91bbb5ea1e164e
File name: RigEK landing page.txt

SHA256: 0f0517c0a25f377b156943ee0f39630c98ce6cf23d8c163323d56131168c7f00
File name: RigEK Flash exploit.swf

SHA256: f08ddaa74bd4c5b9a4761812b713aa12697547d1da75da0ce364859239a20a1f
File name: o32.tmp

SHA256: aaf61372042ffd4c6de3d2568c293d36a24e10241773220446c40e7d2be59e56
Hybrid-Analysis Report
File name: xl4tv1do.exe

Downloads [pass is “infected”]

Landing page and Flash exploit.zip

References
  1. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32-ramnit-analysis.pdf
  2. https://www.virusbulletin.com/virusbulletin/2012/11/ramnit-bot

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: