Seamless Campaign Leads to RIG EK at 188.225.35.149, Drops Digitally Signed Ramnit.

The website that I used for this malvertising chain was much smaller in terms of traffic than my previous runs. In total the site received an estimated 126,000 visitors in July, 2017. According to Alexa it is currently ranked around 200,000 globally and 44,000 in the United States.

Below is a flowchart of the infection chain:

Flowchart

Below are the TCP streams from the infection chain:

exoclick.com ad network edited
302 Found from syndication.exoclick.com. Points to subdomain on .voluumtrk.com

2nd 302 edited
302 Found from .voluumtrk.com. Points to 194[.]58[.]38[.]50/usa
301 redirect edited
194[.]58[.]38[.]50/usa redirects to 194[.]58[.]38[.]50/usa/

grabs timezone edited
Grabs time zone information.
POST request - returns location.href edited
POST back information. Redirects back to .voluumtrk.com.
redirects from .voluumtrk.com to redirectvoluum.com edited
.voluumtrk.com redirects to .redirectvoluum.com. URL contains Base64 encoded location of Seamless gate.
redirect to signup4.php edited
.redirectvoluum.com redirects to Seamless gate
signup4.php redirects to RigEK LP edited
Gate redirects to RIG EK landing page.

Seamless dropped Ramnit via RIG EK. No surprise there. However, this time I didn’t get any follow-up malware.

One thing to note is that lately I’ve been getting digitally signed Ramnit samples from this campaign:

Signers [+] Aid Dan Limited
Status:  Valid
Issuer: thawte SHA256 Code Signing CA
Valid from: 1:00 AM 7/21/2017
Valid to: 12:59 AM 7/22/2018
Valid usage: Code Signing
Algorithm: sha256RSA
Thumbprint: 28853CF83D8B1D2F56273CD3DBE7DA1FF4007053
Serial number: 4A 61 DA 3B 53 8A 85 D1 D3 6D 8B B3 88 DF 7E 2A
[+] thawte SHA256 Code Signing CA
Status:  Valid
Issuer: thawte Primary Root CA
Valid from: 1:00 AM 12/10/2013
Valid to: 12:59 AM 12/10/2023
Valid usage: Client Auth, Code Signing
Algorithm: sha256RSA
Thumbprint: D00CFDBF46C98A838BC10DC4E097AE0152C461BC
Serial number: 71 A0 B7 36 95 DD B1 AF C2 3B 2B 9A 18 EE 54 CB
[+] thawte
Status:  Valid
Issuer: thawte Primary Root CA
Valid from: 1:00 AM 11/17/2006
Valid to: 12:59 AM 7/17/2036
Valid usage: Server Auth, Client Auth, Email Protection, Code Signing
Algorithm: sha1RSA
Thumbprint: 91C6D6EE3E8AC86384E548C299295C756C817B81
Serial number: 34 4E D5 57 20 D5 ED EC 49 F4 2F CE 37 DB 2B 6D

Additional images from the infection:

This slideshow requires JavaScript.

Network Based IOCs
  • 52.9.196.195 – tqbeu.voluumtrk.com – GET /voluum/
  • 54.183.53.133 – tqbeu.redirectvoluum.com – GET /redirect?target=BASE64
  • 194.58.38.50 – GET /usa and GET/POST /usa/ – Seamless campaign
  • 194.58.47.235 – GET /signup4.php – Seamless campaign
  • 188.225.35.149 – IP literal hostname used by RIG EK
  • 185.20.225.138 – hd63ueor8473y.com – Ramnit C2 traffic via TCP port 443
  • 62.173.141.43 – shebkucvrunporc.com – Ramnit C2 traffic via TCP port 443
  • 62.173.141.43 – uahvwkjphhklqigod.com – Ramnit C2 traffic via TCP port 443

Picture of network traffic filtered in Wireshark:

Network Traffic edited

Hashes

SHA256: 73f0fe506bf0237e58fbe7986bd2f163256e4ba90655ab4e180e440f2489df67
File name: RigEK LP from 188.225.35.149.txt

SHA256: adc668371b43cbd6711a01a49015e3f2f52de6ed6080bbe873bc7366593f235b
File name: RigEK Flash exploit from 188.225.35.149.swf

SHA256: fb13d8411a58f33433e7889a2b540e42be7dd18f53ed67a0cf52348e2c3280ef
File name: o32.tmp

SHA256: 26568f81aed43835f1662a02d168289d6e5f60ab8a6f37cc7636e79a16c85f76
File name: nx907o9r.exe
Hybrid-Analysis Report

SHA256: e074c9d677ec9101a82de178de031c7d55411b6a5a4ec2594dac72aa84ffe1b6
File name: digx0yps.exe (Ramnit sample collected from Seamless campaign on 07/29/17)
Hybrid-Analysis Report

Downloads

Malicious Artifacts from Seamless Campaign + RigEK + Ramnit on 080117.zip

Password is “infected”

Until next time my friends!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: