Seamless Campaign Leads to RIG EK at 188.225.79.43 and Drops Ramnit

As I was checking logs in the SIEM console over the weekend I came across another detection for the Seamless campaign.

Capture

You can see from the HTTP logs that there are two direct IPs, 194.58.60.51 and 194.58.60.52, being used by the Seamless campaign.

Examining the URLs in the HTTP logs shows an interesting base64 encoded string:

GET for Seamless gate edited

The encoded string aHR0cDovLzE5NC41OC42MC41Mi9zaWdudXAzLnBocA decodes to hxxp://194[.]58[.]60[.]52/signup3.php. Below is the response from the server:

response meta refresh

The page contains a meta refresh redirection for the Seamless gate.

Signup3.php returns the iframe for the RIG exploit kit landing page:

iframe for RIG LP

As per usual, the Seamless campaign used RIG EK to drop Ramnit.

Below is an image of the HTTP and DNS traffic associated with this infection chain:

Traffic 1

We can see some hostnames being generated by the DGA in the DNS queries as well as some active C2s:

  • hd63ueor8473y.com at 185.20.225.138
  • shebkucvrunporc.com at 62.173.141.43

Traffic 2

Following this traffic there is also a POST request to 185.156.179[.]154/jaxx/about.php:

callback
Callback traffic used the User Agent string Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

%Temp%:

Temp
Malware payloads

%AppData%:

%ProgramData%:

ProgramData
Additional .log file created

Startup menu:

Registry:

Network Based IOCs
  • 194.58.60.51 – Seamless campaign
  • 194.58.60.52 – Seamless campaign
  • 188.225.79.43 – RIG EK
  • hd63ueor8473y.com at 185.20.225.138 – C2
  • shebkucvrunporc.com at 62.173.141.43 – C2
  • 185.156.179.154 – POST /jaxx.about.php
Hashes

SHA256: ce8680cdab7b38f3d0ee2d082021932cc292999544aef91a17ca147ff75cfc70
File name: RigEK landing page from 188.225.79.43.txt

SHA256: 696e2aa7afcb48f86675581a3b587b22d89a6ab37b74d2353882a2d8025c22ab
File name: RigEK Flash exploit from 188.225.79.43.swf

SHA256: 37c43726f1d97fc8f5ac9f8530e3e0826d544bd3560e3bd00863ce51bc82c8df
File name: o32.tmp

SHA256: 5e2bd3c75f3b04f496ea85e19060ab28afd1394ea9ea0d946fcebbecd463358c
File name: x84p0vkb.exe
Hybrid-Analysis Report

Downloads

Seamless campaign RigEK Ramnit 070217

References
  1. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32-ramnit-analysis.pdf
  2. https://www.virusbulletin.com/virusbulletin/2012/11/ramnit-bot

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: