RIG Exploit Kit Delivers Ramnit Banking Trojan via Seamless Malvertising Campaign

Last week I decided to play around with some sketchy sites and, not surprisingly, I found myself getting infected with malware. Let’s go over the redirection chain and then I’ll go into brief detail about the malware infection.

After browsing on the sketchy site, we see some traffic to buzzadnetwork.com:

MalwareBreakdown.com - 302 Moved Temporarily edited

Alexa shows that buzzadnetworks.com is ranked 326 globally.

The request returns a 302 Moved Temporarily, pointing to a new location at xn--b1aanbnczd5ie1bf.xn--p1ai. Punycode is being used to encode the internationalized domain name (IDN). This decodes to языковязыков.рф (using a Cyrillic country code top-level domain).

The HTTP GET request for /redirect.php?acsc=93042904 returned the following:

MalwareBreakdown.com - Script from Seamless Campaign

The time zone information, referer, etc., is POSTed back to the server:

MalwareBreakdown.com - POST from Seamless Campaign edited

The server responds with the following:

malwarebreakdown.com

This causes an HTTP GET request for the resource located toturself-josented.com. The server responds with the following:

MalwareBreakdown.com - Redirect in Seamless Campaign edited

The meta refresh redirects to a resource at redirect.turself-josented[.]com. The server responds to this GET request with the location of the Seamless gate:

MalwareBreakdown.com - Redirect to Seamless gate edited

The threat actors behind the Seamless campaign have been using Punycode for the location of the gates for over a month now; in our example it was xn--b1aanbboc3ad8jee4bff.xn--p1ai. This decodes to языковязыковязы.рф. The meta refresh redirects to the gate and the server responds with an iframe to RIG EK:

MalwareBreakdown.com - Server returns iframe from Seamless gate

MalwareBreakdown.com - Seamless gate returns iframe to RigEK

I’m not sure on why they switched from using IP-literal hostnames to Punycode. Here is some additional information on Punycode being used by bad guys.

Not surprisingly, the Seamless Campaign is still using RIG EK to deliver Ramnit banking Trojan. Often times I find that it also downloads AZORult.

File System/Registry

The Ramnit payload was downloaded to %Temp% and then detonated:

Temp

Process bilo22.exe modified the registry by setting the following:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\jfghdug_ooetvtgk = TRUE
  • Persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UfyQwfyv = %LocalAppData%\mykemfpi\ufyqwfyv.exe
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = 0
  • HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = 1
  • HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = 1
  • HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = 1
  • HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride = 1
  • HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = 1
  • HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify = 1
  • HKLM\System\CurrentControlSet\services\wscsvc\Start = 4
  • HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = 0
  • HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = 0
  • HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = 1
  • HKLM\System\CurrentControlSet\services\MpsSvc\Start = 4
  • HKLM\System\CurrentControlSet\services\WinDefend\Start = 4
  • HKLM\System\CurrentControlSet\services\wuauserv\Start = 4
  • Persistence: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = C:\Windows\system32\userinit.exe,,C:\Users\[removed]\AppData\Local\mykemfpi\ufyqwfyv.exe

Process bilo22.exe creates the following files:

  • Copies itself to %LocalAppData%\mykemfpi\ufyqwfyv.exe
  • Persistence: %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\ufyqwfyv.exe

After rebooting:

  • svchost.exe creates .log file %ProgramData%
  • svchost.exe creates numerous .log files in %LocalAppData%
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = 0
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = 1
  • tracert.exe sets registry key “HKCU\Software\AppDataLow\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\Client”

Network Traffic

  • 104.197.122.221 – www[.]buzzadnetworks[.]com – GET /jump/next.php
  • 31.31.196.183 – xn--b1aanbnczd5ie1bf.xn--p1ai – GET and POST /redirect.php
  • 52.8.118.144 – turself-josented.com – GET /voluum/
  • 52.8.118.144 – redirect.turself-josented.com – GET /redirect
  • 31.31.196.182 – xn--b1aanbboc3ad8jee4bff.xn--p1ai – GET /gav4.php – Seamless gate
  • 5.188.60.18 – RIG EK IP-literal hostname
  • DNS queries for google.com followed by HTTP requests (non-malicious)
  • TCP traffic to 194.87.236.35 port 443 – awogqfbalyisqceqla.com
  • TCP traffic to 87.106.190.153 port 443 – bmgjcjssu.com

Additional details on C2 traffic:

==================================================
Remote Address : 194.87.236.35
Remote Host Name : unspecified.mtw.ru
Remote Port : 443
Process ID : 3716
Process Name : svchost.exe
Process Path : C:\Windows\system32\svchost.exe
==================================================

==================================================
Remote Address : 87.106.190.153
Remote Port : 443
Process ID : 3716
Process Name : svchost.exe
Process Path : C:\Windows\system32\svchost.exe
==================================================

Image of HTTP requests and DNS queries:

MalwareBreakdown.com Seamless Campaign RIG Exploit Kit Ramnit banking Trojan - HTTP and DNS traffic

Hashes

SHA256: cc80f45b6c770ea59d8584526cc2a2b2574f78ab87b739a360750d5e470207d2
File name: RigEK landing page.txt

SHA256: 8e13de0f5fc422d6098ef03bc040e650c1cde89f8541f8acf3617ff122b64185
File name: RigEK Flash exploit.swf

SHA256: 1aa23536dc6ed14b0a49a2438ba9e9e3332bf467789c55dd2adc3b97bea236d4
File name: o32.tmp

SHA256: b77167bf6101fc2fc07ac50fa977ffff567b44daeb216a52c1a8c66d79a421d2
File name: bilo22.exe
HA Report

Downloads

Malicious Artifacts.zip

Password is “infected”

References

  1. https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf
  2. https://www.cert.pl/news/single/ramnit-doglebna-analiza/ (original source)
  3. https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/ (English version)

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: