I’m still seeing a lot of Seamless campaign out there. Let’s look at the HTTP requests and DNS queries from my most recent infection:
We start out with the request for /usa, which redirects to /usa/ via a 301. /usa/ returns a page containing script that grabs the time zone information from the host. That time zone information is POSTed back to /usa/ and the server responds with the location of the next redirect at tqbeu.voluumtrk[.]com/voluum/.
tqbeu.voluumtrk[.]com/voluum/ redirects to tqbeu.redirectvoluum[.]com/redirect:
/redirect?target=BASE64aHR0cDovLzE5NC41OC40Ny4yMzUvc2lnbnVwNC5waHA decodes to hxxp://194[.]58[.]47[.]235signup4.php.
/signup4.php returns the location of the RIG EK landing page:
The Ramnit Trojan was dropped in %Temp% and executed. The malware also created a new folder in %LocalAppData% and added itself to the startup menu.
You’ll also notice some .log files being created by Ramnit in %LocalAppData%. The .tmp and .tempcbss files located at the top of %Temp% are from AZORult. More on AZORult later.
There was also a registry value added at HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun for persistence:
Lastly, there is a .log file created in ProgramData from Ramnit, which contains 64 characters:
Back to the traffic.
The Ramnit sample seems to test connectivity via connections to google.com, as seen in the traffic. Following this initial check, the sample starts a connection with 22.214.171.124 via TCP port 443. The hostname resolves to g283yr84iri4i.com.
The server responds with a 400 via HTTP over TCP port 443. Immediately following the RST/ACK between my host and 126.96.36.199 comes numerous DNS queries for DGA domains, with one successful response from ypfptjsuthmaaebx.com at 188.8.131.52. Once the domain resolves we see connections to 184.108.40.206 via TCP port 443:
After Ramnit callback traffic I found an additional GET request for AZORult located at 194[.]58[.]39[.]177/lenta3.exe. 220.127.116.11 is under the control of the same individuals controlling the Seamless gates.
I also found POST requests to mcgau2.bit.md-100.webhostbox[.]net/wp-content/themes/au/gate.php. Login panel for AZORult:
This is the second time I’ve had a Ramnit sample download AZORult. To read more about AZORult and that infection click HERE.
Network Based IOCs
- 18.104.22.168 – Seamless campaign
- 22.214.171.124 – Seamless campaign
- 126.96.36.199 – RIG EK
- 188.8.131.52 – g283yr84iri4i.com – Ramnit traffic via TCP port 443
- 184.108.40.206 – ypfptjsuthmaaebx.com – Ramnit traffic via TCP port 443
- 220.127.116.11 – GET /lenta3.exe
- 18.104.22.168 – mcgau2.bit.md-100.webhostbox.net POST /wp-content/themes/au/gate.php
File name: RigEK LP from 22.214.171.124.txt
File name: RigEK Flash exploit from 126.96.36.199.swf
File name: o32.tmp
File name: ecba7tie.exe
File name: lenta3.exe
Seamless RigEK Ramnit AZORult 081517.zip
Password is “infected”
Until next time!