As I was checking logs in the SIEM console over the weekend I came across another detection for the Seamless campaign.
You can see from the HTTP logs that there are two direct IPs, 18.104.22.168 and 22.214.171.124, being used by the Seamless campaign.
Examining the URLs in the HTTP logs shows an interesting base64 encoded string:
The encoded string aHR0cDovLzE5NC41OC42MC41Mi9zaWdudXAzLnBocA decodes to hxxp://194[.]58[.]60[.]52/signup3.php. Below is the response from the server:
The page contains a meta refresh redirection for the Seamless gate.
Signup3.php returns the iframe for the RIG exploit kit landing page:
As per usual, the Seamless campaign used RIG EK to drop Ramnit.
Below is an image of the HTTP and DNS traffic associated with this infection chain:
We can see some hostnames being generated by the DGA in the DNS queries as well as some active C2s:
- hd63ueor8473y.com at 126.96.36.199
- shebkucvrunporc.com at 188.8.131.52
Following this traffic there is also a POST request to 185.156.179[.]154/jaxx/about.php:
Network Based IOCs
- 184.108.40.206 – Seamless campaign
- 220.127.116.11 – Seamless campaign
- 18.104.22.168 – RIG EK
- hd63ueor8473y.com at 22.214.171.124 – C2
- shebkucvrunporc.com at 126.96.36.199 – C2
- 188.8.131.52 – POST /jaxx.about.php
File name: RigEK landing page from 184.108.40.206.txt
File name: RigEK Flash exploit from 220.127.116.11.swf
File name: o32.tmp
File name: x84p0vkb.exe