Seamless Malvertising Campaign Drops Ramnit from RIG EK at 80.93.187.194

Shout-out to  for giving me the referer!

referer

Using the referer qstoo.voluumtrk[.]com redirected my host to the Seamless gate at 193.124.89.196:

redirect 1

redirect

Seamless gate

The Seamless gate returns a “302 Found” that points to the RIG exploit kit landing page at 80.93.187.194:

RIG EK

The Ramnit malware payload was dropped in %Temp% and then copied to %AppData% in the folder mykemfpi:

Temp
I have received multiple payloads because I did multiple runs. All the payloads were Ramnit.
AppData
Numerous log files are written, including one that is hidden (44a0e233f.log).

AppData 2

There is also a log file containing a 64 character alphanumeric string written to ProgramData:

ProgramData

Writes to a start menu file:

Registry entries:

reg1
HKCU\Software\AppDataLow\
reg2
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg3
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Below is an image of the network traffic filtered in Wireshark:

Traffic

You can see the DNS request for hdyejdn638ir8.com at 134.0.117.8. Post-infection traffic to 134.0.117.8 via TCP port 443:

post infection

Another obvious sign of a Ramnit infection is that the host will be making an obscene amount of ARP and POP3 requests. The POP3 requests caused the following ET rule to trigger on my IDS:

  • ET SCAN Rapid POP3 Connections – Possible Brute Force Attack

There was also another ET rule that triggered:

  • ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection

Hashes:

SHA256: 238e6aa527f414d630198ae8534555eb5994446d60a0982e0371e4bef4813f1b
File name: RIG EK landing page.txt

SHA256: 4a768366efed47b2fcda2afdfa47d4959a06de7ec30a8b2077940a4be3269ab9
File name: RIG EK Flash exploit.swf

SHA256: 721796597134733a1efcada14152d960ce52404af1f93f4ac1162f59e443e6a7
File name: opn23cus.exe
Hybrid-Analysis Report

SHA256: 6c114c8669a18aec0282d7fdf19d06ee0eb196fc9643b1072edbfe2b30a653f2
File name: opn23cus.exe
Hybrid-Analysis Report

Files (password is “infected”):

Landing Page and Flash Exploit.zip

The malware payloads can be downloaded from either VirusTotal or the Hybrid-Analysis reports located in the Hashes section above.

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: