Note: I took a bit of break, but I will try to get back to posting more regularly.
Today’s infection chain is a familiar one as it includes the Seamless campaign delivering Ramnit banking Trojan via RIG exploit kit. Below is an image of the infection chain, specifically the HTTP requests:
The infection chain starts off with a normal site and some ad traffic. The HTTP request for ad traffic redirects to an XML feed serving ads. The XML feed returned a 302 Found, pointing to hxxp://flinsheer-perreene[.]com/voluum/:
We then see a series of 3XX redirects:
- hxxp://flinsheer-perreene[.]com/voluum/ -> hxxp://194[.]58[.]38[.]57/usa via a 302 Found
- hxxp://194[.]58[.]38[.]57/usa -> /usa/ via a 301 Moved Permanently
Further breakdown of the code can be seen HERE.
Typically, it would be at this point that unwanted connections would be filtered out and redirected to a benign site, however I didn’t run any further test for verification.
The server returns a 200 OK and points to the next step in the redirection chain via window.location.href=hxxp://flinsheer-perreene[.]com/voluum/cebddddb-0f28-4087-99c3-690fa79f4804??track=48tmsGdksmgj383P=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The response to that request is shown below:
We see a meta refresh, redirecting to hxxp://kcsmj[.]redirectvoluum[.]com:80/redirect?target=BASE64aHR0cDovLzE5NC41OC40MC4xOTMvdGVzdDIyLnBocA&ts=xxxxxxxxxxxxx&hash=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&rm=x after 0 seconds (bolded string in URI is Base64 encoded).
This redirect leads to another response containing one more meta refresh:
This meta refresh happens immediately, redirecting to hxxp://194[.]58[.]40[.]193/test22.php
test22.php returns an iframe that contains the RIG EK landing page at 18.104.22.168:
After this long redirection chain, RIG EK finally delivers Ramnit banking Trojan.
File System IOCs
The malware payload is placed in the user’s %TEMP% folder:
It also created a copy of itself in %LOCALAPPDATA%:
There is also a copy in %APPDATA%MicrosoftWindowsStart MenuProgramsStartup for persistence:
Modifies auto-execute functionality by setting/creating values in the registry:
SETVAL; Path: "HKCUSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN"; Key: "UfyQwfyv"; Value: "%LOCALAPPDATA%mykemfpiufyqwfyv.exe" SETVAL; Path: "HKLMSOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONWINLOGON"; Key: "USERINIT"; Value: "%WINDIR%system32userinit.exe,,%LOCALAPPDATA%mykemfpiufyqwfyv.exe"
After restarting the machine there are two more copies of the malware placed in %TEMP%:
There was also a copy in %TEMP%Low:
Entry for “Client” found in HKCUSoftwareAppDataLow:
Creates various .log files in %LOCALAPPDATA% and %PROGRAMDATA%:
If you looked at the %LOCALAPPDATA% image you might have noticed another executable file called “APITEM.EXE”. This malware payload ended up being AZORult stealer and it was download by my infected host after the initial system restart.
Some .tempcbss files created by AZORult are located in %TEMP%:
Network Based IOCs
After the system restart we could also see the DNS queries for Ramnit DGA domains:
- ngbclncfxjdsmmribt.com – 22.214.171.124
- aujastmvehxqmlbb.com – 126.96.36.199
- guaevvaxrujnobfytud.com – 188.8.131.52
- kofeydncog.com – 184.108.40.206
- sxkallpiiknswi.com – 220.127.116.11
Callback traffic for Ramnit:
Below is an image of the GET request for AZORult:
Note: Further analysis of the server delivering tutu.exe shows that it’s also hosting apis.exe and 1.exe. 1.exe was identified as Teamspy (aka TVRAT, TVSPY, and SpY-Agent) and apis.exe was identified as DarkVNC (Thanks to @Antelox for identifying the payloads).
tutu.exe was downloaded using the UA string “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”, which is Internet Explorer 6 on Windows XP SP2.
AZORult was placed in %LOCALAPPDATA% and executed. Following the execution of the payload we see two POST requests:
Confirmation it is AZORult:
Main page, passwords, and reports:
These threat actors have collected information on over 600+ victims in the last couple of days.
There are options for reporting, saved passwords (browsers, FTP, Email, and IM), Bitcoin client files, Skype db files, Steam files, Desktop files and CC.
The criminals are collecting and storing victim information in .zip files, named by the date and machine ID:
Information in the .zip file includes:
- “Browsers” folder
- “AutoComplete” subfolder contains .txt files for Chromium, Chrome, Firefox, etc.
- “Cookies” subfolder contains similar files as the AutoComplete subfolder
These files contain the IP address and location of the compromised machine, saved passwords, system information (Machine ID, file path of the malware – .exe or .dll, Operating System information, computer name, username, CPU information, total RAM, GPU information, system processes currently running, programs currently installed), and information used by browsers.
Due to security reasons, I will not be giving out certain samples to the public.
IOCs from Infection
- 18.104.22.168 – flinsheer-perreene.com – GET /voluum/
- 22.214.171.124 – GET /usa and /usa/ – POST /usa/
- 126.96.36.199 – kcsmj.redirectvoluum.com – GET /redirect?target=BASE64
- 188.8.131.52 – GET /test22.php
- 184.108.40.206 – IP literal hostname used by RIG EK
- 220.127.116.11:443 – ngbclncfxjdsmmribt.com – Ramnit
- 18.104.22.168:443 – aujastmvehxqmlbb.com – Ramnit
- 22.214.171.124:443 – guaevvaxrujnobfytud.com – Ramnit
- 126.96.36.199:443 – kofeydncog.com – Ramnit
- 188.8.131.52:443 – sxkallpiiknswi.com – Ramnit
Bonus IOCs Collected During My Research
- 184.108.40.206:80 – GET /stats/update.php?id=283233394&stat=8f995f306c06b63c100b05fdd300f962 – ET TROJAN Win32.Spy/TVRat/Shade Ransomware Checkin
- Uses UA string “Mozilla/5.0 (Windows NT 5.1)”
- 220.127.116.11:443 – Collected from apis.exe sample
Hashes From Infection
File name: RigEK 18.104.22.168 landing page.txt
File name: RigEK 22.214.171.124 Flash exploit.swf
File name: o32.tmp
Bonus Hashes – Malware Found on Server Hosting AZORult
File name: 1.exe
File name: apis.exe
Password is “infected”
Until next time!
Additional Reference for Ramnit:
https://www.cert.pl/news/single/ramnit-doglebna-analiza/ (original source)
https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/ (English version)