Seamless Campaign Still Redirecting to RIG EK and Dropping Ramnit. Follow-up Malware Dropped on the System is Smoke Loader (aka Dofoil & Sharik).

IOCs

HTTP Traffic:

  • 193.124.201.22 – GET /lol3.php
  • 81.177.141.140 – need.aqadim.com – RIG EK (1st Run)
  • 81.177.141.202 – RIG EK (direct IP used instead of subdomain)
  • 118.127.42.199 – www[.]elitelockservice[.]com[.]au – GET /wp-content/themes/twentythirteen/RIG1.exe – Smoke Loader (2nd run)

DNS Queries:

  • atw82ye63ymdp.com – 188.93.211.166 (1st Run)
  • hdyejdn638ir8.com – 134.0.117.8 (2nd Run)

Smoke Loader Post-Infection DNS Queries:

  • zabugor.bit
  • zabugrom.bit

Ramnit Post-Infection Traffic via TCP port 443:

  • 188.93.211.166
  • 134.0.117.8

Filtered Traffic in Wireshark:

Traffic 1
1st run

Filtered Traffic in Wireshark:

Traffic second run
2nd run shows follow up GET request for SmokeLoader (RIG1.exe) and RIG EK is using direct IPs instead of subdomains. Additionally, we see more post-infection DNS requests.

Hashes:

SHA256: 9878ed700235b135c9b010aa48f682994c38bfb9db47c3f869ef6b1d74dacff2
File name: lol3.php.txt (1st run)

SHA256: 898ec464564da3252e49d17ed0ff12d48d7716b76cbd0d2025190cc6dcba5475
File name: RIG EK landing page.txt (1st run)

SHA256: 8f43aec2986d0705134b6b4af7e745ade1dd48897b95dc7e3844520fa8f9cd18
File name: RIG EK Flash exploit.swf (1st run)

SHA256: 5f877a85bdf65c2571de02fcbb1439a43624da11274ac2059008a62b8c874843
File name: o32.tmp (1st run)

SHA256: 209bfbca599b38df0eb2380ddc8faeecf400e812973f4080e047a667f31d3fcc
File name: 4ee8b428.exe (1st run)
Hybrid-Analysis Report

SHA256: d1469d212c8fd37cbaa8e492653e0719abbfdc43c1b75606785cce3b7cb45b2a
File name: r7p3r8.exe (aka RIG1.exe from my 2nd run)
Hybrid-Analysis Report

Infection Chain

As always, shout-out and a thanks goes to thlnk3r for giving me the referer for this infection!

Twitter

Here is what was displayed to me once I visited that URL:

hello
“Ford company Hello kitty Destroyer”

I was redirected from 193.124.201[.]22/lol3.php to a RIG exploit kit landing page being hosted at need.aqadim.com (resolved to 81.177.141.140):

GET iframe

As you can see from the TCP stream the GET request for flow335.php returned an iframe containing a URL for a RIG exploit kit landing page. However, unlike my previous Seamless campaign infections, this page didn’t contain the following string:

If you would like to make a link or bookmark to this page, the URL is: hxxp://sheldonbrown.com/web_sample1.html

The malware payloads (duplicates) were dropped in %Temp% and then copied to %AppData%:

After the malware payload is executed the computer reboots. During my second run, after the computer rebooted, my host made a GET request for www[.]elitelockservice[.]com[.]au/wp-content/themes/twentythirteen/RIG1.exe:

Follow up malware RIG1

This executable was identified as Smoke Loader by Hybrid-Analysis and confirmed by @Antelox.

Log files are also created in %AppData%:

AppData 1

Log file containing 64 character alphanumeric string is created in ProgramData:

ProgramData

Registry:

reg1reg2reg3

HKCU\Software\AppDataLow\[GUID]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Writes to a start menu file:

startup

I found my infected host making A LOT of ARP requests to IP addresses in its subnet. This was followed by even more connection requests to host in the private address spaces via TCP port 110 (POP3). The POP3 requests caused the following ET rule to trigger:

  • ET SCAN Rapid POP3 Connections – Possible Brute Force Attack

There was also another ET rule that triggered:

  • ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection
Malicious Artifacts (password is “infected”):

Malicious Artifacts 053117.zip

You can download the malware payload from VirusTotal or Hybrid-Analysis.

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: