I decided to go hunting for some malvertising today and got redirected to a Seamless gate, which of course redirected me to RIG EK. For those of you who don’t know about the Seamless campaign, click HERE. Also, my archived posts on the Seamless campaign can be seen HERE.
Let’s begin by peeking at the infection chain.
A domain (hidden) in an earlier part of the infection chain called out to an XML feed serving ads. The XML feed returned a 302 Found, which pointed to hanually-curcial.com/voluum/:
hanually-curcial.com/voluum/ returns a 302 Found and redirects to 31[.]31[.]199[.]191/vnc-seller:
/vnc-seller returns a 301 Moved Permanently and then gives the new location of /vnc-seller/:
/vnc-seller/ returns a page containing JavaScript that grabs the user’s time zone information:
Another look at the code:
The deobfuscated code shows they could be using Google Analytics to track infections:
The information is then POSTed back to /vnc-seller/:
The server’s response to the POST contains script that redirects the user to paremated-conproxy.com/voluum/.
paremated-conproxy.com/voluum/ returns a 200 OK:
The page contains a meta refresh pointing to the next URL in the infection chain, 15cen.redirectvoluum[.]com/redirect?target=BASE64aHR0cDovLzE5NC41OC40Ni4yNDIvbG9sMS5waHA…:
Notice that the Base64 encoded string in the URL decodes to hxxp://194[.]58[.]46[.]242/lol1.php.
The server returns a 200 OK. The page contains a meta refresh pointing to a php script located at 194[.]58[.]46[.]242/lol1.php.
lol1.php returns an iframe that points to the RIG EK landing page:
Because this was the Seamless campaign, RIG EK dropped Ramnit. The malware payload was dropped in %TEMP%:
It also created a copy of itself in a newly created folder in %LOCALAPPDATA%:
There is also a copy in C:Users[User name]AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup:
Modifies auto-execute functionality by setting/creating a value in the registry:
SETVAL; Path: "HKCUSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN"; Key: "UfyQwfyv"; Value: "%LOCALAPPDATA%mykemfpiufyqwfyv.exe" SETVAL; Path: "HKLMSOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONWINLOGON"; Key: "USERINIT"; Value: "%WINDIR%system32userinit.exe,,%LOCALAPPDATA%mykemfpiufyqwfyv.exe"
Looking at the DNS queries/responses reveals some domains and IPs:
Successful resolutions:
- wcbjmxitybhaxdhxxob.com – 194.87.99.160
- vwfkrykqcrfupdkfphj.com – 46.173.218.123
- pqvicocbv.com – 87.106.190.153
- elptuelny.com – 37.60.177.251
It was at this point that I decided to reboot the system.
After rebooting the system, we see more copies being created in %TEMP%:
We also see some .log files created in %APPDATA% by Ramnit:
You might have also noticed the file “css.exe” (aka gg.exe) in %LOCALAPPDATA%. Looking at the HTTP request shows that after rebooting, the infected host made a GET request for gg.exe:
The GET request:
You might have noticed that the host was instructed to use the User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1).
After execution, we can see some more files (.tmp and .tempcbss) being created in %TEMP%:
There was also a key created in HKCUSoftwareAppDataLow:
And a .log file created by Ramnit in %ProgramData%:
There were also POST requests to 5.101.122.193/au/gate.php.
The login for the panel for AZORult can be seen here:
This malware payload ended up being AZORult stealer. You can learn more about AZORult stealer HERE.
Network Based IOCs
- 52.53.65.99 – hanually-curcial.com – GET /voluum/
- 31.31.199.191 – GET /vnc-seller and POST /vnc-seller/
- 52.52.18.181 – paremated-conproxy.com – GET /voluum/
- 52.9.71.23 – 15cen.redirectvoluum.com – GET /redirect
- 194.58.46.242 – GET /lol1.php
- 188.225.85.142 – RIG EK
- 194.87.99.160 (wcbjmxitybhaxdhxxob.com) – TCP port 443
- 46.173.218.123 (vwfkrykqcrfupdkfphj.com) – TCP port 443
- 87.106.190.153 (pqvicocbv.com) – TCP port 443
- 37.60.177.251 (elptuelny.com) – TCP port 443
- 181.114.240.10 – sb572f00a.fastvps-server.com – GET /gg.exe
- 5.101.122.193 – POST /au/gate.php
Hashes
SHA256: 8129e51cb9b7f47da14bd86d4b3afa049f7d5a4ac716cdecfaaf81a48837b7a2
File name: RIG EK landing page.txt
SHA256: dc65c7783f02d45b61cceff22e4f5e50ab313f8ea0e94e0cfffc7d1213ba2149
File name: RIG EK Flash exploit.swf
SHA256: dbdb563a0590c2674e23d8e1d88174bc1fb3dfed6fcda0e6a07edafb050fdab2
File name: o32.tmp
SHA256: 43ae3b68b5201d3ffddc37918f24a380a1cdf0fd5a2c06c947367b56069b0ed3
File name: bilonebilo.exe
Hybrid-Analysis Report
SHA256: db89f34921e507b8fc5ba24d2e252a33eea5a10717768817b80fb98637c55a6e
File name: gg.exe
Hybrid-Analysis Report
Downloads
Password is “infected”
Until next time!
Malware breakdown 
Thanks for the write-up very interesting.
LikeLike
You’re welcome, glad you liked it!
LikeLike