Seamless Malvertising Campaign Leads to Rig EK and Drops Ramnit. Follow-up Malware is AZORult Stealer.

I decided to go hunting for some malvertising today and got redirected to a Seamless gate, which of course redirected me to RIG EK. For those of you who don’t know about the Seamless campaign, click HERE. Also, my archived posts on the Seamless campaign can be seen HERE.

Let’s begin by peeking at the infection chain.

HTTP and DNS traffic EDITED

A domain (hidden) in an earlier part of the infection chain called out to an XML feed serving ads. The XML feed returned a 302 Found, which pointed to

3 Edited returns a 302 Found and redirects to 31[.]31[.]199[.]191/vnc-seller:

4 Edited

/vnc-seller returns a 301 Moved Permanently and then gives the new location of /vnc-seller/:


/vnc-seller/ returns a page containing JavaScript that grabs the user’s time zone information:


Another look at the code:


The deobfuscated code shows they could be using Google Analytics to track infections:

script 2

The information is then POSTed back to /vnc-seller/:

7 Edited

The server’s response to the POST contains script that redirects the user to returns a 200 OK:

8 Edited

The page contains a meta refresh pointing to the next URL in the infection chain, 15cen.redirectvoluum[.]com/redirect?target=BASE64aHR0cDovLzE5NC41OC40Ni4yNDIvbG9sMS5waHA…:

9 Edited

Notice that the Base64 encoded string in the URL decodes to hxxp://194[.]58[.]46[.]242/lol1.php.

The server returns a 200 OK. The page contains a meta refresh pointing to a php script located at 194[.]58[.]46[.]242/lol1.php.

lol1.php returns an iframe that points to the RIG EK landing page:

10 Edited

Because this was the Seamless campaign, RIG EK dropped Ramnit. The malware payload was dropped in %TEMP%:


It also created a copy of itself in a newly created folder in %LOCALAPPDATA%:


There is also a copy in C:Users[User name]AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup:

Modifies auto-execute functionality by setting/creating a value in the registry:

Run key set for persistenceuserinit



Looking at the DNS queries/responses reveals some domains and IPs:


Successful resolutions:

  • –
  • –
  • –
  • –

It was at this point that I decided to reboot the system.

After rebooting the system, we see more copies being created in %TEMP%:

rebooted TEMP

We also see some .log files created in %APPDATA% by Ramnit:

LOCALAPDATA after reboot

You might have also noticed the file “css.exe” (aka gg.exe) in %LOCALAPPDATA%. Looking at the HTTP request shows that after rebooting, the infected host made a GET request for gg.exe:

post infection HTTP requests

The GET request:

GET for AZORult

You might have noticed that the host was instructed to use the User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1).

After execution, we can see some more files (.tmp and .tempcbss) being created in %TEMP%:


There was also a key created in HKCUSoftwareAppDataLow:

Client reg edited

And a .log file created by Ramnit in %ProgramData%:

.log file ProgramData after reboot

There were also POST requests to

The login for the panel for AZORult can be seen here:


This malware payload ended up being AZORult stealer. You can learn more about AZORult stealer HERE.

Network Based IOCs
  • – – GET /voluum/
  • – GET /vnc-seller and POST /vnc-seller/
  • – – GET /voluum/
  • – – GET /redirect
  • – GET /lol1.php
  • – RIG EK
  • ( – TCP port 443
  • ( – TCP port 443
  • ( – TCP port 443
  • ( – TCP port 443
  • – – GET /gg.exe
  • – POST /au/gate.php

SHA256: 8129e51cb9b7f47da14bd86d4b3afa049f7d5a4ac716cdecfaaf81a48837b7a2
File name: RIG EK landing page.txt

SHA256: dc65c7783f02d45b61cceff22e4f5e50ab313f8ea0e94e0cfffc7d1213ba2149
File name: RIG EK Flash exploit.swf

SHA256: dbdb563a0590c2674e23d8e1d88174bc1fb3dfed6fcda0e6a07edafb050fdab2
File name: o32.tmp

SHA256: 43ae3b68b5201d3ffddc37918f24a380a1cdf0fd5a2c06c947367b56069b0ed3
File name: bilonebilo.exe
Hybrid-Analysis Report

SHA256: db89f34921e507b8fc5ba24d2e252a33eea5a10717768817b80fb98637c55a6e
File name: gg.exe
Hybrid-Analysis Report


Ramnit, AZORult, etc

Password is “infected”

Until next time!

  1. Thanks for the write-up very interesting.



    1. You’re welcome, glad you liked it!



Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: