I decided to go hunting for some malvertising today and got redirected to a Seamless gate, which of course redirected me to RIG EK. For those of you who don’t know about the Seamless campaign, click HERE. Also, my archived posts on the Seamless campaign can be seen HERE.
Let’s begin by peeking at the infection chain.
A domain (hidden) in an earlier part of the infection chain called out to an XML feed serving ads. The XML feed returned a 302 Found, which pointed to hanually-curcial.com/voluum/:
hanually-curcial.com/voluum/ returns a 302 Found and redirects to 31[.]31[.]199[.]191/vnc-seller:
/vnc-seller returns a 301 Moved Permanently and then gives the new location of /vnc-seller/:
Another look at the code:
The deobfuscated code shows they could be using Google Analytics to track infections:
The information is then POSTed back to /vnc-seller/:
The server’s response to the POST contains script that redirects the user to paremated-conproxy.com/voluum/.
paremated-conproxy.com/voluum/ returns a 200 OK:
The page contains a meta refresh pointing to the next URL in the infection chain, 15cen.redirectvoluum[.]com/redirect?target=BASE64aHR0cDovLzE5NC41OC40Ni4yNDIvbG9sMS5waHA…:
Notice that the Base64 encoded string in the URL decodes to hxxp://194[.]58[.]46[.]242/lol1.php.
The server returns a 200 OK. The page contains a meta refresh pointing to a php script located at 194[.]58[.]46[.]242/lol1.php.
lol1.php returns an iframe that points to the RIG EK landing page:
Because this was the Seamless campaign, RIG EK dropped Ramnit. The malware payload was dropped in %TEMP%:
It also created a copy of itself in a newly created folder in %LOCALAPPDATA%:
There is also a copy in C:\Users\[User name]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup:
Modifies auto-execute functionality by setting/creating a value in the registry:
SETVAL; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "UfyQwfyv"; Value: "%LOCALAPPDATA%\mykemfpi\ufyqwfyv.exe" SETVAL; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON"; Key: "USERINIT"; Value: "%WINDIR%\system32\userinit.exe,,%LOCALAPPDATA%\mykemfpi\ufyqwfyv.exe"
Looking at the DNS queries/responses reveals some domains and IPs:
- wcbjmxitybhaxdhxxob.com – 184.108.40.206
- vwfkrykqcrfupdkfphj.com – 220.127.116.11
- pqvicocbv.com – 18.104.22.168
- elptuelny.com – 22.214.171.124
It was at this point that I decided to reboot the system.
After rebooting the system, we see more copies being created in %TEMP%:
We also see some .log files created in %APPDATA% by Ramnit:
You might have also noticed the file “css.exe” (aka gg.exe) in %LOCALAPPDATA%. Looking at the HTTP request shows that after rebooting, the infected host made a GET request for gg.exe:
The GET request:
You might have noticed that the host was instructed to use the User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1).
After execution, we can see some more files (.tmp and .tempcbss) being created in %TEMP%:
There was also a key created in HKCU\Software\AppDataLow\:
And a .log file created by Ramnit in %ProgramData%:
There were also POST requests to 126.96.36.199/au/gate.php.
The login for the panel for AZORult can be seen here:
This malware payload ended up being AZORult stealer. You can learn more about AZORult stealer HERE.
Network Based IOCs
- 188.8.131.52 – hanually-curcial.com – GET /voluum/
- 184.108.40.206 – GET /vnc-seller and POST /vnc-seller/
- 220.127.116.11 – paremated-conproxy.com – GET /voluum/
- 18.104.22.168 – 15cen.redirectvoluum.com – GET /redirect
- 22.214.171.124 – GET /lol1.php
- 126.96.36.199 – RIG EK
- 188.8.131.52 (wcbjmxitybhaxdhxxob.com) – TCP port 443
- 184.108.40.206 (vwfkrykqcrfupdkfphj.com) – TCP port 443
- 220.127.116.11 (pqvicocbv.com) – TCP port 443
- 18.104.22.168 (elptuelny.com) – TCP port 443
- 22.214.171.124 – sb572f00a.fastvps-server.com – GET /gg.exe
- 126.96.36.199 – POST /au/gate.php
File name: RIG EK landing page.txt
File name: RIG EK Flash exploit.swf
File name: o32.tmp
File name: bilonebilo.exe
File name: gg.exe
Password is “infected”
Until next time!