Seamless Campaign Uses RIG EK to Deliver Ramnit

malwarebreakdown on February 21, 2018

Originally posted at malwarebreakdown.com
Follow me on Twitter

It didn’t take me long to get the redirections that I had gone hunting for. Below is an edited image taken of the redirection chain:

Fiddler Traffic

Flowchart of the redirection chain:

flowchart

One thing to note, libertex.one, which is currently resolving to 31.31.196.81 (Russian) and was registered on 02/07/2018, was mirrored from libertex.org by “HTTrack Website Copier” on February 8th, 2018. The IP address 31.31.196.81 has been used to host other Seamless gates and is worth an IP block.

Some other registrant information:

Attribute Value
Registrar Key-Systems LLC
Email everydomaininplace@mail.ru
Name Bjakas Raka
Organization Maka Puka
Phone 5553673755
NameServers ns1.hosting.reg.ru and ns2.hosting.reg.ru

Pivoting off everydomaininplace@mail.ru shows the following domains:

Domain Registered On
libertex.one 2/7/2018
xnhmhtksxrafnvrdh.com 11/13/2017
shmhmhfmnxvr.com 9/21/2017
dlkorrtundbuov.com 9/19/2017
udbqsimre.com 9/18/2017
bmoqgnuyxdvtnnjnf.com 9/18/2017
saqjrigpkuins.com 9/18/2017
snxplvbkwja.com 9/15/2017
gojmwuuvmp.com 9/15/2017
elptuelny.com 9/15/2017
rjwpncspruhjnpiud.com 9/13/2017
qaskdhtuinhmmfsbcsu.com 9/13/2017
bujynaslvjlmf.com 9/13/2017
ieyiujkfdlphij.com 9/13/2017
lhbkjtineroxhd.com 9/13/2017
erwijyiyasbvfey.com 9/13/2017
javtqaxboyqyxubai.com 9/13/2017
husasoekpfigun.com 9/13/2017
cswyqievc.com 9/13/2017
lamxnulcidqxk.com 9/13/2017
iwdellebhavmei.com 9/13/2017
ffdjiuvufw.com 8/31/2017

Googling these domains returns samples, from various sources, seen making DNS queries. Those queries are associated with the DGA used by Ramnit.

The next domains used by the threat actors were distan-kenques.com and redirect.distan-kenques.com. These were first seen on 02/19/2018. Lastly, we see the request for Seamless gate 3 being hosted at gavkingate.info. The response from the gate contains an iframe pointing to the RIG EK landing page:

iframe

File System IOCs

The payload was downloaded and detonated in %Temp%:

Delivered to Temp

Copy is found in a folder located at %LocalAppData%:

LocalAppData copy

.Log files created in %LocalAppData%:

LocalAppData .log files

.Log file created in %ProgramData%:

ProgramData .log file

Copies itself into %AppData%MicrosoftWindowsStart MenuProgramsStartup for persistence:

startup

Registry IOCs

HKCU Client editedHKCU RunHKLM Userinit

Network IOCs

HTTP Traffic:

31.31.196.81 – libertex.one – GET and POST /index.php
52.9.239.9 – distan-kenques.com – GET /voluum/
13.57.167.218 – redirect.distan-kenques.com – GET /redirect
31.31.196.248 – gavkingate.info – GET /gav3.php – Seamless gate
188.225.82.251 – IP literal hostname used by RIG EK

DNS Queries:

hshshshsussiiwuwyw.com (194.87.92.204)
ghnsonrgujyymhvvg.com (208.100.26.251)
usrfyjueaneumqx.com (217.20.116.145)
swwqmpjpvdbxsjos.com (217.20.116.145)
gjvublwgk.com (87.106.190.153)
toersratxvnjtsaqdp.com (194.87.97.26)
ejnpulri.com (89.185.44.100)
rikbrsqoyjjpb.com
chceoqemftwldiucf.com
uwyarxuxharsm.com
sxavjnfrwwrq.com
fpbagtcbmcdcyeu.com
eakrbfndtxvub.com
qdxbgtalumvj.com
cakmbyctbvnnadmly.com
ahghbjoutgpituoybn.com
bnibihajibsrqvycxv.com
xeanmjcieuxgr.com
ufylrewmo.com
tykjmixnmdpcukb.com
wqxufotucvawktbqx.com

TCP Connections:

194.87.92.204:443
208.100.26.251:443
217.20.116.145:443
87.106.190.153:443
194.87.97.26:443
89.185.44.100:443

Hashes

SHA256: f21bb91150171e23b8dfc21fb52160d28d008039fdffe9ab26b48bac7a95a782
File name: RigEK Landing Page.txt

SHA256: 3e7aa5487ab1f2dc7e811e605aa60cea072d3067ca121baa9a77074b12519d67
File name: RigEK Flash Exploit.swf

SHA256: 14ca4a614156e924d077e1bf6709cd24796a1ddc92aa1ac9c0b85103fea943bd
File name: b4.exe
Hybrid-Analysis Report

Samples

Malware.zip

Password is “infected”

References

  1. https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf
  2. https://www.cert.pl/news/single/ramnit-doglebna-analiza/ (original source)
  3. https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/ (English version)
  4. http://www.malware-traffic-analysis.net/2018/02/12/index.html

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

  1. Seamless Campaign Uses RIG EK to Deliver More Ramnit – Malware Breakdown February 26, 2018 at 1:37 AM

    […] traffic is similar to what I wrote about on 02-21-18. The Seamless campaign was using LiberTex.one, which had been mirrored from LiberTex.org […]

    Like

    Reply

Leave a Comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: