The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.

Although there continues to be an overall decrease in EK activity I’m still seeing a decent amount of malvertising leading to EKs. One campaign that I run into a lot is Seamless. It’s like other malvertising campaigns in that much of the traffic originates from streaming video sites. These kinds of sites make good targets for threat actors as they get a lot of traffic and, more importantly, they often have poor advertising standards. The site I used for this infection chain is in Alexa’s top 900 global sites and top 800 for the United States. Further analysis reveals that the site received an estimated 13,970,000 visits over the last 30 days. That’s a lot of potential victims.

Below is a very basic flowchart of the infection chain:

Below is a breakdown of each of the events leading to the Seamless campaign and then to RIG EK.

Syndication.exdynsrv.com returns a 302 Found and points to a new location at tqbeu.voluumtrk.com. This subdomain uses Voluum’s
web analytics system to collect statistical data.

We then see a GET request for a resource located at tqbeu.voluumtrk.com. The server responds with 302 Found and points to the Seamless infrastructure at 194[.]58[.]38[.]50/usa:

194[.]58[.]38[.]50/usa redirects to 194[.]58[.]38[.]50/usa/:

JavaScript gets the time zone information from the user:

Time zone information is POSTed back to the server. The server responds with script that redirects the host back to another resource located at tqbeu.voluumtrk.com:

Traffic is being filtered at this point, with unwanted traffic being redirected to benign sites that break the infection chain.

Continuing with the infection chain we see tqbeu.voluumtrk.com redirect to tqbeu.redirectvoluum.com:

This time the URL contains some Base64 encoded data, which decodes to the Seamless gate:

The Seamless gate returns an iframe containing the location of the RIG EK landing page:

Seamless continues to drop Ramnit (qzsn3aad.exe found in %TEMP%) via RIG EK. Post-infection Ramnit traffic shows DNS queries for DGA domains:

Active C2 traffic via TCP port 443:

• 185.118.65.143 – hdyejdn638ir8.com
• 46.17.44.131 – eppixrakqeueuttiuvi.com
• 185.159.129.127 and 194.58.112.174 – tmgmgjcvt.com

After the initial malware payload dropped I decided to restart my host and noticed additional downloads for “satbin.exe” (AKA V3.exe and javasch.exe), “AU2_EXEsd.exe” and “Loader.exe” (AKA Lw321.exe), which were all located at steelskull[.]com.

Below is an image of the GET and POST requests associated with the malvertising chain, RIG EK activity, additional downloads, and the post-infection traffic:

The first GET request for additional files after I restarted my host was for satbin.exe. Running satbin.exe (AKA V3.exe and javasch.exe) generated POST requests to 103.253.27.234/teststeal/gate.php. The User-Agent used during these POST requests was “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727).” We can also see it using api.ipify.org to grab the host external IP address.

Further research shows that satbin.exe (AKA V3.exe – found in %LOCALAPPDATA% and javasch.exe – found in %APPDATA%) dropped javasch.js in %APPDATA%:

Opening javasch.js.txt in Notepad++ shows a lot of garbage, however, switching the language to JavaScript quickly reveals the real code:

Login panel:

The second GET request for additional files after I restarted my host was for AU2_EXEsd.exe, which was identified by @Antelox (thanks again!) as AZORult Stealer.

Post-infection traffic caused by AZORult shows POST requests to parking-services.us/gate.php, which currently resolves to 185.100.222.41.

Login panel:

Below is a list of capabilities offered by AZORult Stealer.

Steals saved passwords from following programs (Browsers, Email, FTP, IM):

• Google Chrome
• Google Chrome x64
• YandexBrowser
• Opera
• Mozilla Firefox
• InternetMailRu
• ComodoDragon
• Amigo
• Bromium
• Chromium
• Outlook
• Thunderbird
• Filezilla
• Pidgin
• PSI
• PSI Plus

Steals cookies from browsers and forms (form history, autofill):

• Google Chrome
• Google Chrome x64
• YandexBrowser
• Opera
• Mozilla Firefox
• InternetMailRu
• ComodoDragon
• Amigo
• Bromium
• Chromium

Bitcoin client’s files

• Collects wallet.dat files from popular bitcoin clients (bitcoin, litecoin, etc)

Skype message history

• Grabs files from chat history. Files are read with special utilities.

Desktop files grabber

• Collects files with specified extensions from Desktop. Filter by file size. Recursively searches files in folders.

List of installed programs
List of running processes
Username, computer name, OS, RAM

Images taken from forums:

AZORult sample reversed by Vitali Kremez:

http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html

The third download was for Loader.exe (AKA Lw321.exe), which was identified by Hybrid-Analysis and @Antelox as Smoke Loader. Post-infection traffic from this sample shows POST requests to zabugrom.bit/smk2/ – resolving to 109.169.89.50.

Additional Pictures of the File System After Infection

IOCs

• 52.52.15.205 – tqbeu.voluumtrk.com
• 54.183.53.133 – tqbeu.redirectvoluum.com
• 194.58.38.50 – Seamless campaign
• 194.58.58.70 – GET /signup4.php – Seamless gate
• 188.225.87.49 – RIG EK
• 185.118.65.143 – hdyejdn638ir8.com – Ramnit C2
• 46.17.44.131 – eppixrakqeueuttiuvi.com – Ramnit C2
• 185.159.129.127 and 194.58.112.174 – tmgmgjcvt.com – Ramnit C2
• 46.105.57.169 – steelskull.com – Hacked site serving up malware
• 185.100.222.41 – parking-services.us – POST /gate.php – AZORult stealer
• 103.253.27.234 – POST /teststeal/gate.php
• 109.169.89.50 – zabugrom.bit – POST /smk2/ – Smoke Loader

Hashes

SHA256: 83df67f6fcec4015d345684e31773eb3488295703de09306eadf34fe3bc0b420
File name: RIG EK landing page at 188.225.87.49.txt

SHA256: 5aa4502dc361d3d913ea5443c15e59831bc1db3b696f0d5347442744b36e957b
File name: Flash exploit from RIG EK at 188.225.87.49.swf

SHA256: e98a80523922ac53858990234332cb9ba4c74ee4d3e2c5764d4d7b1fb7f84e10
File name: o32.tmp

SHA256: 7c73071a01fd77c06e43f4500201cd2eb20991bbb4116ae47e07b6864ad0b58e
File name: qzsn3aad.exe

SHA256: babd9eb251ebebe53fda65c3d070200c1362b6d8cc619543b3d31c433d8608bb
File name: satbin.exe (AKA V3.exe and javasch.exe)

SHA256: cf3459cf29125101f5bea3f4206d8e43dbe097dd884ebf3155c49b276736f727
File name: AU2_EXEsd.exe

SHA256: 0b5d583fd8b03e642707678800199d265bfea5563dbde982479222365af01d24
File name: Loader.exe (AKA Lw321.exe)

Downloads

Password is “infected” – Malicious Artifacts.zip

Until next time!