RIG Exploit Kit Delivers Ramnit Banking Trojan via Seamless Malvertising Campaign

Last week I decided to play around with some sketchy sites and, not surprisingly, I found myself getting infected with malware. Let’s go over the redirection chain and then I’ll go into brief detail about the malware infection.

After browsing on the sketchy site, we see some traffic to buzzadnetwork.com:

MalwareBreakdown.com - 302 Moved Temporarily edited

Alexa shows that buzzadnetworks.com is ranked 326 globally.

The request returns a 302 Moved Temporarily, pointing to a new location at xn--b1aanbnczd5ie1bf.xn--p1ai. Punycode is being used to encode the internationalized domain name (IDN). This decodes to языковязыков.рф (using a Cyrillic country code top-level domain).

The HTTP GET request for /redirect.php?acsc=93042904 returned the following:

MalwareBreakdown.com - Script from Seamless Campaign

The time zone information, referer, etc., is POSTed back to the server:

MalwareBreakdown.com - POST from Seamless Campaign edited

The server responds with the following:


This causes an HTTP GET request for the resource located toturself-josented.com. The server responds with the following:

MalwareBreakdown.com - Redirect in Seamless Campaign edited

The meta refresh redirects to a resource at redirect.turself-josented[.]com. The server responds to this GET request with the location of the Seamless gate:

MalwareBreakdown.com - Redirect to Seamless gate edited

The threat actors behind the Seamless campaign have been using Punycode for the location of the gates for over a month now; in our example it was xn--b1aanbboc3ad8jee4bff.xn--p1ai. This decodes to языковязыковязы.рф. The meta refresh redirects to the gate and the server responds with an iframe to RIG EK:

MalwareBreakdown.com - Server returns iframe from Seamless gate

MalwareBreakdown.com - Seamless gate returns iframe to RigEK

I’m not sure on why they switched from using IP-literal hostnames to Punycode. Here is some additional information on Punycode being used by bad guys.

Not surprisingly, the Seamless Campaign is still using RIG EK to deliver Ramnit banking Trojan. Often times I find that it also downloads AZORult.

File System/Registry

The Ramnit payload was downloaded to %Temp% and then detonated:


Process bilo22.exe modified the registry by setting the following:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionjfghdug_ooetvtgk = TRUE
  • Persistence: HKCUSoftwareMicrosoftWindowsCurrentVersionRunUfyQwfyv = %LocalAppData%mykemfpiufyqwfyv.exe
  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA = 0
  • HKLMSOFTWAREMicrosoftSecurity CenterAntiVirusOverride = 1
  • HKLMSOFTWAREMicrosoftSecurity CenterAntiVirusDisableNotify = 1
  • HKLMSOFTWAREMicrosoftSecurity CenterFirewallDisableNotify = 1
  • HKLMSOFTWAREMicrosoftSecurity CenterFirewallOverride = 1
  • HKLMSOFTWAREMicrosoftSecurity CenterUpdatesDisableNotify = 1
  • HKLMSOFTWAREMicrosoftSecurity CenterUacDisableNotify = 1
  • HKLMSystemCurrentControlSetserviceswscsvcStart = 4
  • HKLMSystemCurrentControlSetservicesSharedAccessParametersFirewallPolicyStandardProfileEnableFirewall = 0
  • HKLMSystemCurrentControlSetservicesSharedAccessParametersFirewallPolicyStandardProfileDoNotAllowExceptions = 0
  • HKLMSystemCurrentControlSetservicesSharedAccessParametersFirewallPolicyStandardProfileDisableNotifications = 1
  • HKLMSystemCurrentControlSetservicesMpsSvcStart = 4
  • HKLMSystemCurrentControlSetservicesWinDefendStart = 4
  • HKLMSystemCurrentControlSetserviceswuauservStart = 4
  • Persistence: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit = C:Windowssystem32userinit.exe,,C:Users[removed]AppDataLocalmykemfpiufyqwfyv.exe

Process bilo22.exe creates the following files:

  • Copies itself to %LocalAppData%mykemfpiufyqwfyv.exe
  • Persistence: %AppData%MicrosoftWindowsStart MenuProgramsStartupufyqwfyv.exe

After rebooting:

  • svchost.exe creates .log file %ProgramData%
  • svchost.exe creates numerous .log files in %LocalAppData%
  • HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapUNCAsIntranet = 0
  • HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapAutoDetect = 1
  • tracert.exe sets registry key “HKCUSoftwareAppDataLowXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXClient”

Network Traffic

  • – www[.]buzzadnetworks[.]com – GET /jump/next.php
  • – xn--b1aanbnczd5ie1bf.xn--p1ai – GET and POST /redirect.php
  • – turself-josented.com – GET /voluum/
  • – redirect.turself-josented.com – GET /redirect
  • – xn--b1aanbboc3ad8jee4bff.xn--p1ai – GET /gav4.php – Seamless gate
  • – RIG EK IP-literal hostname
  • DNS queries for google.com followed by HTTP requests (non-malicious)
  • TCP traffic to port 443 – awogqfbalyisqceqla.com
  • TCP traffic to port 443 – bmgjcjssu.com

Additional details on C2 traffic:

Remote Address :
Remote Host Name : unspecified.mtw.ru
Remote Port : 443
Process ID : 3716
Process Name : svchost.exe
Process Path : C:Windowssystem32svchost.exe

Remote Address :
Remote Port : 443
Process ID : 3716
Process Name : svchost.exe
Process Path : C:Windowssystem32svchost.exe

Image of HTTP requests and DNS queries:

MalwareBreakdown.com Seamless Campaign RIG Exploit Kit Ramnit banking Trojan - HTTP and DNS traffic


SHA256: cc80f45b6c770ea59d8584526cc2a2b2574f78ab87b739a360750d5e470207d2
File name: RigEK landing page.txt

SHA256: 8e13de0f5fc422d6098ef03bc040e650c1cde89f8541f8acf3617ff122b64185
File name: RigEK Flash exploit.swf

SHA256: 1aa23536dc6ed14b0a49a2438ba9e9e3332bf467789c55dd2adc3b97bea236d4
File name: o32.tmp

SHA256: b77167bf6101fc2fc07ac50fa977ffff567b44daeb216a52c1a8c66d79a421d2
File name: bilo22.exe
HA Report


Malicious Artifacts.zip

Password is “infected”


  1. https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf
  2. https://www.cert.pl/news/single/ramnit-doglebna-analiza/ (original source)
  3. https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/ (English version)

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: