Seamless Campaign Drops Ramnit from RIG Exploit Kit at 188.225.76.204

This infection chain started from a malvertising chain that eventually led to the Seamless campaign. Background on the Seamless campaign can be found HERE.

Below is an image of the HTTP traffic from the infection chain:

HTTP Traffic edited

The malvertising chain used various redirects to reach the RIG EK landing page. Below is an image of the first “302 Found” redirect from syndication.exdynsrv.com to outedward-engrees.com:

302 Found edited

Outedward-engrees.com redirects to 194.58.60.51/usa via another “302 Found”:

302 Found 2 edited

194.58.60.51/usa redirects to 194.58.60.51/usa/ via a “301 Moved Permanently”:

301 redirect

The directory at 194.58.60.51/usa/ returns a landing page with some interesting JavaScript that grabs the timezone information from the host and POST it back to the server before the Seamless gate is disclosed:

JS

Timezone information sent back via a POST request. The server redirects the host back to outedward-engrees.com:

POST returns window.location.href edited

Outedward-engrees.com redirects the host to len3j.redirectvoluum.com via a meta refresh:

200 OK meta refresh len3j.redirectvoluum.com edited

We then see another meta refresh pointing to the Seamless gate at 194[.]58[.]60[.]52/signup4.php:

len3j.redirectvoluum.com contains meta refresh for 194.58.60.52 edited

“aHR0cDovLzE5NC41OC42MC41Mi9zaWdudXA0LnBocA” is base64 encoded. It decodes to hxxp://194[.]58[.]60[.]52/signup4.php

The Seamless gate returns the iframe containing the URL for the RIG EK landing page:

Seamless gate contains iframe for RigEK LP

The Seamless campaign is using RIG EK to drop Ramnit on hosts. You can view my other posts on Ramnit to see additional details about the infection.

Network Based IOCs
  • 54.153.21.45 – outedward-engrees.com
  • 194.58.60.51 – GET /usa and /usa/ and POST /usa/
  • 52.9.71.23 – len3j.redirectvoluum.com
  • 194.58.60.52 – GET /signup4.php
  • 188.225.76.204 – RIG EK
  • 185.118.66.106 – hye739indlir73ue.com – Ramnit C2 traffic via TCP port 443
Hashes

SHA256: a3c632e0cd7b13dd22a49c7ee5ce5ba7a06277aac624881ae293b125bca93796
File name: RigEK landing page from 188.225.76.204.txt

SHA256: 5ad1784383ade7dbf6502f3fa0e5b295fc7940306c30b155cc564049c6c65dbf
File name: RigEK Flash exploit from 188.225.76.204.swf

SHA256: 6cd6f64efc5ec6f34cc03fcf9e2973c9691c5d14ee7598d8f7644207fdf0300a
File name: 5d3i6qjf.exe

Downloads

RigEK LP, Flash Exploit, Payload

References
  1. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32-ramnit-analysis.pdf
  2. https://www.virusbulletin.com/virusbulletin/2012/11/ramnit-bot

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: