Although there continues to be an overall decrease in EK activity I’m still seeing a decent amount of malvertising leading to EKs. One campaign that I run into a lot is Seamless. It’s like other malvertising campaigns in that much of the traffic originates from streaming video sites. These kinds of sites make good targets for threat actors as they get a lot of traffic and, more importantly, they often have poor advertising standards. The site I used for this infection chain is in Alexa’s top 900 global sites and top 800 for the United States. Further analysis reveals that the site received an estimated 13,970,000 visits over the last 30 days. That’s a lot of potential victims.
Below is a very basic flowchart of the infection chain:
Below is a breakdown of each of the events leading to the Seamless campaign and then to RIG EK.
Syndication.exdynsrv.com returns a 302 Found and points to a new location at tqbeu.voluumtrk.com. This subdomain uses Voluum’s
web analytics system to collect statistical data.
We then see a GET request for a resource located at tqbeu.voluumtrk.com. The server responds with 302 Found and points to the Seamless infrastructure at 194[.]58[.]38[.]50/usa:
194[.]58[.]38[.]50/usa redirects to 194[.]58[.]38[.]50/usa/:
Time zone information is POSTed back to the server. The server responds with script that redirects the host back to another resource located at tqbeu.voluumtrk.com:
Traffic is being filtered at this point, with unwanted traffic being redirected to benign sites that break the infection chain.
Continuing with the infection chain we see tqbeu.voluumtrk.com redirect to tqbeu.redirectvoluum.com:
This time the URL contains some Base64 encoded data, which decodes to the Seamless gate:
The Seamless gate returns an iframe containing the location of the RIG EK landing page:
Seamless continues to drop Ramnit (qzsn3aad.exe found in %TEMP%) via RIG EK. Post-infection Ramnit traffic shows DNS queries for DGA domains:
Active C2 traffic via TCP port 443:
- 184.108.40.206 – hdyejdn638ir8.com
- 220.127.116.11 – eppixrakqeueuttiuvi.com
- 18.104.22.168 and 22.214.171.124 – tmgmgjcvt.com
After the initial malware payload dropped I decided to restart my host and noticed additional downloads for “satbin.exe” (AKA V3.exe and javasch.exe), “AU2_EXEsd.exe” and “Loader.exe” (AKA Lw321.exe), which were all located at steelskull[.]com.
Below is an image of the GET and POST requests associated with the malvertising chain, RIG EK activity, additional downloads, and the post-infection traffic:
The first GET request for additional files after I restarted my host was for satbin.exe. Running satbin.exe (AKA V3.exe and javasch.exe) generated POST requests to 126.96.36.199/teststeal/gate.php. The User-Agent used during these POST requests was “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727).” We can also see it using api.ipify.org to grab the host external IP address.
Further research shows that satbin.exe (AKA V3.exe – found in %LOCALAPPDATA% and javasch.exe – found in %APPDATA%) dropped javasch.js in %APPDATA%:
The second GET request for additional files after I restarted my host was for AU2_EXEsd.exe, which was identified by @Antelox (thanks again!) as AZORult Stealer.
Post-infection traffic caused by AZORult shows POST requests to parking-services.us/gate.php, which currently resolves to 188.8.131.52.
Below is a list of capabilities offered by AZORult Stealer.
Steals saved passwords from following programs (Browsers, Email, FTP, IM):
- Google Chrome
- Google Chrome x64
- Mozilla Firefox
- PSI Plus
Steals cookies from browsers and forms (form history, autofill):
- Google Chrome
- Google Chrome x64
- Mozilla Firefox
Bitcoin client’s files
- Collects wallet.dat files from popular bitcoin clients (bitcoin, litecoin, etc)
Skype message history
- Grabs files from chat history. Files are read with special utilities.
Desktop files grabber
- Collects files with specified extensions from Desktop. Filter by file size. Recursively searches files in folders.
List of installed programs
List of running processes
Username, computer name, OS, RAM
Images taken from forums:
AZORult sample reversed by Vitali Kremez:
The third download was for Loader.exe (AKA Lw321.exe), which was identified by Hybrid-Analysis and @Antelox as Smoke Loader. Post-infection traffic from this sample shows POST requests to zabugrom.bit/smk2/ – resolving to 184.108.40.206.
Additional Pictures of the File System After Infection
- 220.127.116.11 – tqbeu.voluumtrk.com
- 18.104.22.168 – tqbeu.redirectvoluum.com
- 22.214.171.124 – Seamless campaign
- 126.96.36.199 – GET /signup4.php – Seamless gate
- 188.8.131.52 – RIG EK
- 184.108.40.206 – hdyejdn638ir8.com – Ramnit C2
- 220.127.116.11 – eppixrakqeueuttiuvi.com – Ramnit C2
- 18.104.22.168 and 22.214.171.124 – tmgmgjcvt.com – Ramnit C2
- 126.96.36.199 – steelskull.com – Hacked site serving up malware
- 188.8.131.52 – parking-services.us – POST /gate.php – AZORult stealer
- 184.108.40.206 – POST /teststeal/gate.php
- 220.127.116.11 – zabugrom.bit – POST /smk2/ – Smoke Loader
File name: RIG EK landing page at 18.104.22.168.txt
File name: Flash exploit from RIG EK at 22.214.171.124.swf
File name: o32.tmp
File name: qzsn3aad.exe
File name: satbin.exe (AKA V3.exe and javasch.exe)
File name: AU2_EXEsd.exe
File name: Loader.exe (AKA Lw321.exe)
Password is “infected” – Malicious Artifacts.zip
Until next time!