Seamless Malvertising Campaign Leads to Rig EK and Drops Ramnit. Follow-up Malware is AZORult Stealer.

I decided to go hunting for some malvertising today and got redirected to a Seamless gate, which of course redirected me to RIG EK. For those of you who don’t know about the Seamless campaign, click HERE. Also, my archived posts on the Seamless campaign can be seen HERE.

Let’s begin by peeking at the infection chain.

HTTP and DNS traffic EDITED

A domain (hidden) in an earlier part of the infection chain called out to an XML feed serving ads. The XML feed returned a 302 Found, which pointed to hanually-curcial.com/voluum/:

3 Edited

hanually-curcial.com/voluum/ returns a 302 Found and redirects to 31[.]31[.]199[.]191/vnc-seller:

4 Edited

/vnc-seller returns a 301 Moved Permanently and then gives the new location of /vnc-seller/:

5

/vnc-seller/ returns a page containing JavaScript that grabs the user’s time zone information:

6

Another look at the code:

script

The deobfuscated code shows they could be using Google Analytics to track infections:

script 2

The information is then POSTed back to /vnc-seller/:

7 Edited

The server’s response to the POST contains script that redirects the user to paremated-conproxy.com/voluum/.

paremated-conproxy.com/voluum/ returns a 200 OK:

8 Edited

The page contains a meta refresh pointing to the next URL in the infection chain, 15cen.redirectvoluum[.]com/redirect?target=BASE64aHR0cDovLzE5NC41OC40Ni4yNDIvbG9sMS5waHA…:

9 Edited

Notice that the Base64 encoded string in the URL decodes to hxxp://194[.]58[.]46[.]242/lol1.php.

The server returns a 200 OK. The page contains a meta refresh pointing to a php script located at 194[.]58[.]46[.]242/lol1.php.

lol1.php returns an iframe that points to the RIG EK landing page:

10 Edited

Because this was the Seamless campaign, RIG EK dropped Ramnit. The malware payload was dropped in %TEMP%:

TEMP

It also created a copy of itself in a newly created folder in %LOCALAPPDATA%:

LOCALAPPDATA

There is also a copy in C:\Users\[User name]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup:

Modifies auto-execute functionality by setting/creating a value in the registry:

Run key set for persistenceuserinit

SETVAL; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "UfyQwfyv"; Value: "%LOCALAPPDATA%\mykemfpi\ufyqwfyv.exe"

SETVAL; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON"; Key: "USERINIT"; Value: "%WINDIR%\system32\userinit.exe,,%LOCALAPPDATA%\mykemfpi\ufyqwfyv.exe"

Looking at the DNS queries/responses reveals some domains and IPs:

DNS

Successful resolutions:

  • wcbjmxitybhaxdhxxob.com – 194.87.99.160
  • vwfkrykqcrfupdkfphj.com – 46.173.218.123
  • pqvicocbv.com – 87.106.190.153
  • elptuelny.com – 37.60.177.251

It was at this point that I decided to reboot the system.

After rebooting the system, we see more copies being created in %TEMP%:

rebooted TEMP

We also see some .log files created in %APPDATA% by Ramnit:

LOCALAPDATA after reboot

You might have also noticed the file “css.exe” (aka gg.exe) in %LOCALAPPDATA%. Looking at the HTTP request shows that after rebooting, the infected host made a GET request for gg.exe:

post infection HTTP requests

The GET request:

GET for AZORult

You might have noticed that the host was instructed to use the User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1).

After execution, we can see some more files (.tmp and .tempcbss) being created in %TEMP%:

TEMP 3

There was also a key created in HKCU\Software\AppDataLow\:

Client reg edited

And a .log file created by Ramnit in %ProgramData%:

.log file ProgramData after reboot

There were also POST requests to 5.101.122.193/au/gate.php.

The login for the panel for AZORult can be seen here:

login

This malware payload ended up being AZORult stealer. You can learn more about AZORult stealer HERE.

Network Based IOCs
  • 52.53.65.99 – hanually-curcial.com – GET /voluum/
  • 31.31.199.191 – GET /vnc-seller and POST /vnc-seller/
  • 52.52.18.181 – paremated-conproxy.com – GET /voluum/
  • 52.9.71.23 – 15cen.redirectvoluum.com – GET /redirect
  • 194.58.46.242 – GET /lol1.php
  • 188.225.85.142 – RIG EK
  • 194.87.99.160 (wcbjmxitybhaxdhxxob.com) – TCP port 443
  • 46.173.218.123 (vwfkrykqcrfupdkfphj.com) – TCP port 443
  • 87.106.190.153 (pqvicocbv.com) – TCP port 443
  • 37.60.177.251 (elptuelny.com) – TCP port 443
  • 181.114.240.10 – sb572f00a.fastvps-server.com – GET /gg.exe
  • 5.101.122.193 – POST /au/gate.php
Hashes

SHA256: 8129e51cb9b7f47da14bd86d4b3afa049f7d5a4ac716cdecfaaf81a48837b7a2
File name: RIG EK landing page.txt

SHA256: dc65c7783f02d45b61cceff22e4f5e50ab313f8ea0e94e0cfffc7d1213ba2149
File name: RIG EK Flash exploit.swf

SHA256: dbdb563a0590c2674e23d8e1d88174bc1fb3dfed6fcda0e6a07edafb050fdab2
File name: o32.tmp

SHA256: 43ae3b68b5201d3ffddc37918f24a380a1cdf0fd5a2c06c947367b56069b0ed3
File name: bilonebilo.exe
Hybrid-Analysis Report

SHA256: db89f34921e507b8fc5ba24d2e252a33eea5a10717768817b80fb98637c55a6e
File name: gg.exe
Hybrid-Analysis Report

Downloads

Ramnit, AZORult, etc

Password is “infected”

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

2 thoughts on “Seamless Malvertising Campaign Leads to Rig EK and Drops Ramnit. Follow-up Malware is AZORult Stealer.

  • September 20, 2017 at 6:30 AM
    Permalink

    Thanks for the write-up very interesting.

    Reply
    • September 20, 2017 at 3:34 PM
      Permalink

      You’re welcome, glad you liked it!

      Reply

Leave a Comment

%d bloggers like this: