Tag: Seamless Campaign

Seamless Campaign Uses RIG EK to Drop Ramnit. Ramnit Drops AZORult.

I’m still seeing a lot of Seamless campaign out there. Let’s look at the HTTP requests and DNS queries from my most recent infection: We start out with the request for /usa, which redirects to /usa/ via a 301. /usa/ returns a page containing script that grabs the time zone information from the host. That ...

Seamless Campaign Leads to RIG EK at 188.225.35.149, Drops Digitally Signed Ramnit.

The website that I used for this malvertising chain was much smaller in terms of traffic than my previous runs. In total the site received an estimated 126,000 visitors in July, 2017. According to Alexa it is currently ranked around 200,000 globally and 44,000 in the United States. Below is a flowchart of the infection ...

The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc.

Although there continues to be an overall decrease in EK activity I’m still seeing a decent amount of malvertising leading to EKs. One campaign that I run into a lot is Seamless. It’s like other malvertising campaigns in that much of the traffic originates from streaming video sites. These kinds of sites make good targets ...

Seamless Campaign Drops Ramnit from RIG Exploit Kit at 188.225.76.204

This infection chain started from a malvertising chain that eventually led to the Seamless campaign. Background on the Seamless campaign can be found HERE. Below is an image of the HTTP traffic from the infection chain: The malvertising chain used various redirects to reach the RIG EK landing page. Below is an image of the ...

Seamless Campaign Leads to RIG EK at 188.225.79.43 and Drops Ramnit

As I was checking logs in the SIEM console over the weekend I came across another detection for the Seamless campaign. You can see from the HTTP logs that there are two direct IPs, 194.58.60.51 and 194.58.60.52, being used by the Seamless campaign. Examining the URLs in the HTTP logs shows an interesting base64 encoded string: ...

Seamless Campaign Leads to RIG EK at 92.222.48.83 and Drops Ramnit

The infection vector for this Ramnit compromise was RIG exploit kit. The user was redirected to the exploit kit via a malvertising chain using the Seamless campaign. The Seamless campaign has been dropping Ramnit for awhile now. You can read more about the Seamless campaign HERE. The referer used for this infection was the Seamless ...

Seamless Malvertising Campaign Drops Ramnit from RIG EK at 80.93.187.194

Shout-out to thlnk3r‏ for giving me the referer! Using the referer qstoo.voluumtrk[.]com redirected my host to the Seamless gate at 193.124.89.196: The Seamless gate returns a “302 Found” that points to the RIG exploit kit landing page at 80.93.187.194: The Ramnit malware payload was dropped in %Temp% and then copied to %AppData% in the folder mykemfpi: There ...

Seamless Campaign Still Redirecting to RIG EK and Dropping Ramnit. Follow-up Malware Dropped on the System is Smoke Loader (aka Dofoil & Sharik).

IOCs HTTP Traffic: 193.124.201.22 – GET /lol3.php 81.177.141.140 – need.aqadim.com – RIG EK (1st Run) VirusTotal report on 81.177.141.140 81.177.141.202 – RIG EK (direct IP used instead of subdomain) VirusTotal report on 81.177.141.202 118.127.42.199 – www[.]elitelockservice[.]com[.]au – GET /wp-content/themes/twentythirteen/RIG1.exe – Smoke Loader (2nd run) DNS Queries: atw82ye63ymdp.com – 188.93.211.166 (1st Run) hdyejdn638ir8.com – 134.0.117.8 (2nd ...

Seamless Malvertising Campaign Leads to RIG EK at 185.154.53.33 and Drops Ramnit

IOCs HTTP Traffic: 185.31.160.55 – GET /flow339.php – Seamless campaign redirector 185.154.53.33 – new.cloudarchieve.com – RIG EK VirusTotal report showing the full RIG EK URLs resolving to that IP address. DNS Queries: doisafjsnbjesfbejfbkjsej88.com notalyyj.com – 185.118.66.84 bheabfdfug.com – 185.156.179.126 sinjydtrv.com fbtsotbs.com fkqrjsghoradylfslg.com aofmfaoc.com – 34.194.213.50 ctiprlgcxftdsaiqvk.com mrthpcokvjc.com wgwuhauaqcrx.com – 87.106.190.153 npcvnorvyhelagx.com – 87.106.190.153 Post-infection traffic ...

Seamless Malvertising Campaign Still Leading to RIG EK and Dropping Ramnit

On May 10th, 2017, the Twitter user thlnk3r sent a Tweet with a referer for the seamless campaign: I decided to investigate the traffic from his tweet and proceeded to use the php file hosted at 185.31.160.55 as my referer. Here is the traffic from my run: This tactic proved to be successful as I was redirected from 185.31.160[.]55/flow335.php to ...