Seamless Campaign Delivers Ramnit Banking Trojan via RIG EK.

Recent threat hunting had led me to another Seamless gate which used RIG EK to deliver Ramnit banking Trojan. The Seamless campaign, which has been around since at least February 2017, has always Favorited Ramnit as its payload. Often the Ramnit payloads will download additional malware such as AZORult stealer.

The publisher (a website that displays adverts) that I used for this infection chain is very popular in Pakistan. In fact, Alexa ranks it within the top 50 in Pakistan and in the top 4,000 globally. Traffic estimates for the publisher shows that they received an estimated 4.1 million visitors in the last 30 days.

Below is an image of the infection chain being captured via Wireshark:

I created a basic flowchart to make the redirection chain easier to follow:

The publisher’s page source:

go.oclasrv.com redirected, via a 302 Moved Temporarily, to onclkds.com:

go.oclasrv.com and onclkds.com are used by ad network Propeller Ads Media for ad serving.

I believe onclkds.com redirected to engine.spotscenered.info. Oddly enough, I couldn’t find any useful information about engine.spotscenered.info.

engine.spotscenered.info/link.engine redirects, via a 302 Found, to engine.spotscenered.info/Redirect.eng:

engine.spotscenered.info/Redirect.eng returned a 200 OK with the following script:

This redirected to xn--15-mmc.xn--p1acf/go2/index.php, which returned a 301 Moved Permanently that pointed to paremated-conproxy.com/voluum/ and JavaScript which grabs the time zone information from the user.

The user’s time zone information is supposed to be POSTed back to the server, however, there was no POST request.

paremated-conproxy.com/voluum/ redirected to 15cen.redirectvoluum.com/redirect:

15cen.redirectvoluum.com/redirect redirected to the Seamless gate at 194[.]58[.]58[.]121/test3.php:

test3.php returns an iframe that redirects to the RIG EK landing page at 188.225.85.82:

The payload being pushed by the Seamless campaign is Ramnit banking Trojan.

File System

The payload was dropped in %Temp% and executed:

bilonebilo619.exe sets the registry key “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionjfghdug_ooetvtgk”.

bilonebilo619.exe then creates a copy of itself in “C:Users[Username]AppDataLocalmykemfpiufyqwfyv.exe”:

bilonebilo619.exe then creates a startup file at “C:Users[Username]RoamingMicrosoftWindowsStart MenuProgramsStartupufyqwfyv.exe”:

bilonebilo619.exe then sets AutoStart registry key “HKCUSoftwareMicrosoftWindowsCurrentVersionRunUfyQwfyv”:

bilonebilo619.exe then sets AutoStart registry key “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit”:

Process “ufyqwfyv.exe” then creates another copy of itself file at “C:Users[Username]AppDataLocalTempebqvhrfc.exe”:

Process “ebqvhrfc.exe” creates file “C:Users[Username]AppDataLocalTemplhxocmtw.exe”:

Process “svchost.exe” creates a .log file in “C:ProgramDatacdprsxjy.log”:

Process “svchost.exe” then creates the .log files in %LocalAppData%:

Process “svchost.exe” creates process “tracert.exe” and process “tracert.exe” sets registry key “HKCUSoftwareAppDataLowXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXClient”:

Network Based IOCs

Pre-infection:

• 52.52.18.181 – paremated-conproxy.com – GET /voluum/
• 52.9.71.23 – 15cen.redirectvoluum.com – GET /redirect
• 194.58.58.121 – GET /test3.php – Seamless gate
• 188.225.85.82 – IP literal hostname used by RIG EK

Post-infection via TCP port 443:

• 46.165.254.211 – fejbmscsuruiow.com
• 46.165.254.211 – anyaikyaeifcprlcrof.com
• 195.38.137.100 – edbvkjmr.com
• 194.87.94.11 – upwdodqrmjydqcys.com
• 87.106.190.153 – bmtnnkvm.com

TCP Connections:

Remote Address: 46.165.254.211
Remote Port: 443
Process Name: svchost.exe
Process Path: C:Windowssystem32svchost.exe
Remote IP Country: Germany

Remote Address: 195.38.137.100
Remote Port: 443
Process Name: svchost.exe
Process Path: C:Windowssystem32svchost.exe
Remote IP Country: Germany

Remote Address: 194.87.94.11
Remote Host Name: ptr.ruvds.com
Remote Port: 443
Process Name: svchost.exe
Process Path: C:Windowssystem32svchost.exe
Remote IP Country: Russian Federation

Remote Address: 87.106.190.153
Remote Port: 443
Process Name: svchost.exe
Process Path: C:Windowssystem32svchost.exe
Remote IP Country: Germany

DNS queries and responses:

Hashes

SHA256: 57438a61471d4da3550c8235dffd6836979057f0467e17d38887b1ad5b6c375d
File name: RigEK landing page.txt

SHA256: d0156d98de96e278938329e026c6992510e5931d13c7d36b3845e605c553661b
File name: RigEK Flash exploit.swf

SHA256: b793211fd7238fa5402a0bcdfb5a486dc31fd13b9bd58697ceb8328ab2cf6164
File name: bilonebilo619.exe
Hybrid-Analysis Report

Downloads

Malicious Artifacts 100417
Password is “infected”

References

A very detailed look at Ramnit:

1. https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/

• Category: Exploit Kit
• Tag: IOCs, Malvertising, Ramnit, Rig Exploit Kit, Seamless Campaign

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware. View all posts by malwarebreakdown