Seamless Campaign Leads to RIG EK at and Drops Ramnit

The infection vector for this Ramnit compromise was RIG exploit kit. The user was redirected to the exploit kit via a malvertising chain using the Seamless campaign. The Seamless campaign has been dropping Ramnit for awhile now. You can read more about the Seamless campaign HERE.

The referer used for this infection was the Seamless gate at 194.58.40[.]252/signup1[.]php. The response from the gate included the following iframe:


The iframe contained the URL for the RIG exploit kit landing page.

Below is an image of some network traffic being filtered in Wireshark:

traffic 1

HTTP and DNS traffic. DNS queries for remote C&C domains generated by DGA.

Payload dropped in %Temp%, as well as additional copies:


Another copy of the malware is placed in newly created subfolder located in %AppData%:

AppDat 2

Artifacts relating to the modules are found in %AppData%:

AppData 1

Additional artifact located in ProgramData:


Writes to a start menu file:



reg1 edited

HKCUSoftwareAppDataLow {guid}
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

Additional Network Based IOCs

Network Traffic:

  • – – GET /usa
  • – GET /signup1.php – Seamless gate
  • – RIG EK
  • – – Ramnit C2 traffic via port 443
  • – – Ramnit C2 traffic via port 443


SHA256: c18a3c9bb7dd8548b782c156a30fcb5fb642a0562c52544f4b91bbb5ea1e164e
File name: RigEK landing page.txt

SHA256: 0f0517c0a25f377b156943ee0f39630c98ce6cf23d8c163323d56131168c7f00
File name: RigEK Flash exploit.swf

SHA256: f08ddaa74bd4c5b9a4761812b713aa12697547d1da75da0ce364859239a20a1f
File name: o32.tmp

SHA256: aaf61372042ffd4c6de3d2568c293d36a24e10241773220446c40e7d2be59e56
Hybrid-Analysis Report
File name: xl4tv1do.exe

Downloads [pass is “infected”]

Landing page and Flash


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: