I’m still seeing a lot of Seamless campaign out there. Let’s look at the HTTP requests and DNS queries from my most recent infection:
We start out with the request for /usa, which redirects to /usa/ via a 301. /usa/ returns a page containing script that grabs the time zone information from the host. That time zone information is POSTed back to /usa/ and the server responds with the location of the next redirect at tqbeu.voluumtrk[.]com/voluum/.
tqbeu.voluumtrk[.]com/voluum/ redirects to tqbeu.redirectvoluum[.]com/redirect:
/redirect?target=BASE64aHR0cDovLzE5NC41OC40Ny4yMzUvc2lnbnVwNC5waHA decodes to hxxp://194[.]58[.]47[.]235signup4.php.
/signup4.php returns the location of the RIG EK landing page:
The Ramnit Trojan was dropped in %Temp% and executed. The malware also created a new folder in %LocalAppData% and added itself to the startup menu.
You’ll also notice some .log files being created by Ramnit in %LocalAppData%. The .tmp and .tempcbss files located at the top of %Temp% are from AZORult. More on AZORult later.
There was also a registry value added at HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun for persistence:
Lastly, there is a .log file created in ProgramData from Ramnit, which contains 64 characters:
Back to the traffic.
The Ramnit sample seems to test connectivity via connections to google.com, as seen in the traffic. Following this initial check, the sample starts a connection with 185.20.225.124 via TCP port 443. The hostname resolves to g283yr84iri4i.com.
The server responds with a 400 via HTTP over TCP port 443. Immediately following the RST/ACK between my host and 185.20.225.124 comes numerous DNS queries for DGA domains, with one successful response from ypfptjsuthmaaebx.com at 62.173.141.42. Once the domain resolves we see connections to 62.173.141.42 via TCP port 443:
After Ramnit callback traffic I found an additional GET request for AZORult located at 194[.]58[.]39[.]177/lenta3.exe. 194.58.39.177 is under the control of the same individuals controlling the Seamless gates.
I also found POST requests to mcgau2.bit.md-100.webhostbox[.]net/wp-content/themes/au/gate.php. Login panel for AZORult:
This is the second time I’ve had a Ramnit sample download AZORult. To read more about AZORult and that infection click HERE.
Network Based IOCs
- 194.58.38.50 – Seamless campaign
- 194.58.47.235 – Seamless campaign
- 185.158.155.60 – RIG EK
- 185.20.225.124 – g283yr84iri4i.com – Ramnit traffic via TCP port 443
- 62.173.141.42 – ypfptjsuthmaaebx.com – Ramnit traffic via TCP port 443
- 194.58.39.177 – GET /lenta3.exe
- 207.174.212.128 – mcgau2.bit.md-100.webhostbox.net POST /wp-content/themes/au/gate.php
Hashes
SHA256: 84990edc45c7695f7486f47bf0125db3ce9570d693e1ba3b209d5ff0672d3d9c
File name: RigEK LP from 185.158.155.60.txt
SHA256: 7f5de6e0efab47133d8959d7585b76746a4ff3122233dc5f0884c5e96fa2620a
File name: RigEK Flash exploit from 185.158.155.60.swf
SHA256: d0aa498099e0658537e1be7ebce9886ef077134c453b3294678d1c5c7d7a3bc2
File name: o32.tmp
SHA256: 7a22adb1233b9d8abf298b0b1a01f420661aedcbf366f438b345aa16328d977c
File name: ecba7tie.exe
HA Report
SHA256: 37bd7bd5bb73963f82f27c8d6c8e7bb127f81a2536f158bd0bcf78bd287359b3
File name: lenta3.exe
HA Report
Downloads
Seamless RigEK Ramnit AZORult 081517.zip
Password is “infected”
Until next time!
Malware breakdown 