Seamless Campaign Uses RIG EK to Drop Ramnit. Ramnit Drops AZORult.

I’m still seeing a lot of Seamless campaign out there. Let’s look at the HTTP requests and DNS queries from my most recent infection:

Traffic edited

We start out with the request for /usa, which redirects to /usa/ via a 301. /usa/ returns a page containing script that grabs the time zone information from the host. That time zone information is POSTed back to /usa/ and the server responds with the location of the next redirect at tqbeu.voluumtrk[.]com/voluum/.

tqbeu.voluumtrk[.]com/voluum/ redirects to tqbeu.redirectvoluum[.]com/redirect:

Redirect to redirectvoluum edited

/redirect?target=BASE64aHR0cDovLzE5NC41OC40Ny4yMzUvc2lnbnVwNC5waHA decodes to hxxp://194[.]58[.]47[.]235signup4.php.

Redirect to signup4 edited

/signup4.php returns the location of the RIG EK landing page:


The Ramnit Trojan was dropped in %Temp% and executed. The malware also created a new folder in %LocalAppData% and added itself to the startup menu.

You’ll also notice some .log files being created by Ramnit in %LocalAppData%. The .tmp and .tempcbss files located at the top of %Temp% are from AZORult. More on AZORult later.

There was also a registry value added at HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun for persistence:


Lastly, there is a .log file created in ProgramData from Ramnit, which contains 64 characters:

ProgramData log

Back to the traffic.

The Ramnit sample seems to test connectivity via connections to, as seen in the traffic. Following this initial check, the sample starts a connection with via TCP port 443. The hostname resolves to

connection to

The server responds with a 400 via HTTP over TCP port 443. Immediately following the RST/ACK between my host and comes numerous DNS queries for DGA domains, with one successful response from at Once the domain resolves we see connections to via TCP port 443:


After Ramnit callback traffic I found an additional GET request for AZORult located at 194[.]58[.]39[.]177/lenta3.exe. is under the control of the same individuals controlling the Seamless gates.

I also found POST requests to[.]net/wp-content/themes/au/gate.php. Login panel for AZORult:


This is the second time I’ve had a Ramnit sample download AZORult. To read more about AZORult and that infection click HERE.

Network Based IOCs
  • – Seamless campaign
  • – Seamless campaign
  • – RIG EK
  • – – Ramnit traffic via TCP port 443
  • – – Ramnit traffic via TCP port 443
  • – GET /lenta3.exe
  • – POST /wp-content/themes/au/gate.php

SHA256: 84990edc45c7695f7486f47bf0125db3ce9570d693e1ba3b209d5ff0672d3d9c
File name: RigEK LP from

SHA256: 7f5de6e0efab47133d8959d7585b76746a4ff3122233dc5f0884c5e96fa2620a
File name: RigEK Flash exploit from

SHA256: d0aa498099e0658537e1be7ebce9886ef077134c453b3294678d1c5c7d7a3bc2
File name: o32.tmp

SHA256: 7a22adb1233b9d8abf298b0b1a01f420661aedcbf366f438b345aa16328d977c
File name: ecba7tie.exe
HA Report

SHA256: 37bd7bd5bb73963f82f27c8d6c8e7bb127f81a2536f158bd0bcf78bd287359b3
File name: lenta3.exe
HA Report


Seamless RigEK Ramnit AZORult
Password is “infected”

Until next time!

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: