Seamless Campaign Drops Ramnit from RIG Exploit Kit at

This infection chain started from a malvertising chain that eventually led to the Seamless campaign. Background on the Seamless campaign can be found HERE.

Below is an image of the HTTP traffic from the infection chain:

HTTP Traffic edited

The malvertising chain used various redirects to reach the RIG EK landing page. Below is an image of the first “302 Found” redirect from to

302 Found edited redirects to via another “302 Found”:

302 Found 2 edited redirects to via a “301 Moved Permanently”:

301 redirect

The directory at returns a landing page with some interesting JavaScript that grabs the timezone information from the host and POST it back to the server before the Seamless gate is disclosed:


Timezone information sent back via a POST request. The server redirects the host back to

POST returns window.location.href edited redirects the host to via a meta refresh:

200 OK meta refresh edited

We then see another meta refresh pointing to the Seamless gate at 194[.]58[.]60[.]52/signup4.php: contains meta refresh for edited

“aHR0cDovLzE5NC41OC42MC41Mi9zaWdudXA0LnBocA” is base64 encoded. It decodes to hxxp://194[.]58[.]60[.]52/signup4.php

The Seamless gate returns the iframe containing the URL for the RIG EK landing page:

Seamless gate contains iframe for RigEK LP

The Seamless campaign is using RIG EK to drop Ramnit on hosts. You can view my other posts on Ramnit to see additional details about the infection.

Network Based IOCs
  • –
  • – GET /usa and /usa/ and POST /usa/
  • –
  • – GET /signup4.php
  • – RIG EK
  • – – Ramnit C2 traffic via TCP port 443

SHA256: a3c632e0cd7b13dd22a49c7ee5ce5ba7a06277aac624881ae293b125bca93796
File name: RigEK landing page from

SHA256: 5ad1784383ade7dbf6502f3fa0e5b295fc7940306c30b155cc564049c6c65dbf
File name: RigEK Flash exploit from

SHA256: 6cd6f64efc5ec6f34cc03fcf9e2973c9691c5d14ee7598d8f7644207fdf0300a
File name: 5d3i6qjf.exe


RigEK LP, Flash Exploit, Payload


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: