Tag: Ramnit

Seamless Campaign Uses RIG EK to Deliver More Ramnit

Over the weekend I went hunting for malvertising campaigns hoping to find something other than Seamless. However, on both Saturday (run 1 on 02-24-18) and Sunday (run 2 on 02-25-18), I ended up finding myself the victim of a Ramnit infection, courtesy of the Seamless campaign and RIG EK. I don’t have any hard data ...

Seamless Campaign Uses RIG EK to Deliver Ramnit

Originally posted at malwarebreakdown.com Follow me on Twitter It didn’t take me long to get the redirections that I had gone hunting for. Below is an edited image taken of the redirection chain: Flowchart of the redirection chain: One thing to note, libertex.one, which is currently resolving to 31.31.196.81 (Russian) and was registered on 02/07/2018, ...

RIG Exploit Kit Delivers Ramnit Banking Trojan via Seamless Malvertising Campaign

Last week I decided to play around with some sketchy sites and, not surprisingly, I found myself getting infected with malware. Let’s go over the redirection chain and then I’ll go into brief detail about the malware infection. After browsing on the sketchy site, we see some traffic to buzzadnetwork.com: Alexa shows that buzzadnetworks.com is ...

Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer.

Note: I took a bit of break, but I will try to get back to posting more regularly. Today’s infection chain is a familiar one as it includes the Seamless campaign delivering Ramnit banking Trojan via RIG exploit kit. Below is an image of the infection chain, specifically the HTTP requests: The infection chain starts ...

Seamless Campaign Delivers Ramnit Banking Trojan via RIG EK.

Recent threat hunting had led me to another Seamless gate which used RIG EK to deliver Ramnit banking Trojan. The Seamless campaign, which has been around since at least February 2017, has always Favorited Ramnit as its payload. Often the Ramnit payloads will download additional malware such as AZORult stealer. The publisher (a website that ...

Seamless Malvertising Campaign Leads to Rig EK and Drops Ramnit. Follow-up Malware is AZORult Stealer.

I decided to go hunting for some malvertising today and got redirected to a Seamless gate, which of course redirected me to RIG EK. For those of you who don’t know about the Seamless campaign, click HERE. Also, my archived posts on the Seamless campaign can be seen┬áHERE. Let’s begin by peeking at the infection ...

The Seamless Campaign Isn’t Losing Any Steam

Some security researchers on Tuesday had noted that their requests for the Seamless gates were failing. However, if there was any noticeable stoppage, it certainly didn’t last very long. Shortly after hearing about this I started checking my logs for any exploit kit activity and, as usual, I found a detection for RIG EK from ...

Seamless Campaign Uses RIG EK to Drop Ramnit Trojan

Below is a partial and edited flowchart of the malvertising chain that I got during this infection: An edited image of the infection chain is shown below: You can see that the Ramnit sample seems to check for Internet connectivity before making DNS queries for ujndhe7382uryhf.com, which resolves to 46.173.214.170. Following the DNS resolutions is ...

Seamless Campaign Uses RIG EK to Drop Ramnit. Ramnit Drops AZORult.

I’m still seeing a lot of Seamless campaign out there. Let’s look at the HTTP requests and DNS queries from my most recent infection: We start out with the request for /usa, which redirects to /usa/ via a 301. /usa/ returns a page containing script that grabs the time zone information from the host. That ...

Seamless Campaign Leads to RIG EK at 188.225.35.149, Drops Digitally Signed Ramnit.

The website that I used for this malvertising chain was much smaller in terms of traffic than my previous runs. In total the site received an estimated 126,000 visitors in July, 2017. According to Alexa it is currently ranked around 200,000 globally and 44,000 in the United States. Below is a flowchart of the infection ...