Recent threat hunting had led me to another Seamless gate which used RIG EK to deliver Ramnit banking Trojan. The Seamless campaign, which has been around since at least February 2017, has always Favorited Ramnit as its payload. Often the Ramnit payloads will download additional malware such as AZORult stealer.
The publisher (a website that displays adverts) that I used for this infection chain is very popular in Pakistan. In fact, Alexa ranks it within the top 50 in Pakistan and in the top 4,000 globally. Traffic estimates for the publisher shows that they received an estimated 4.1 million visitors in the last 30 days.
Below is an image of the infection chain being captured via Wireshark:
I created a basic flowchart to make the redirection chain easier to follow:
The publisher’s page source:
go.oclasrv.com redirected, via a 302 Found, to onclkds.com:
go.oclasrv.com and onclkds.com are used by ad network Propeller Ads Media for ad serving.
I believe onclkds.com redirected to engine.spotscenered.info. Oddly enough, I couldn’t find any useful information about engine.spotscenered.info.
engine.spotscenered.info/link.engine redirects, via a 302 Found, to engine.spotscenered.info/Redirect.eng:
engine.spotscenered.info/Redirect.eng returned a 200 OK with the following script:
This redirected to xn--15-mmc.xn--p1acf/go2/index.php, which returned a 301 Moved Permanently that pointed to paremated-conproxy.com/voluum/ and JavaScript which grabs the time zone information from the user.
The user’s time zone information is supposed to be POSTed back to the server, however, there was no POST request.
paremated-conproxy.com/voluum/ redirected to 15cen.redirectvoluum.com/redirect:
15cen.redirectvoluum.com/redirect redirected to the Seamless gate at 194[.]58[.]58[.]121/test3.php:
test3.php returns an iframe that redirects to the RIG EK landing page at 188.225.85.82:
The payload being pushed by the Seamless campaign is Ramnit banking Trojan.
File System
The payload was dropped in %Temp% and executed:
bilonebilo619.exe sets the registry key “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\jfghdug_ooetvtgk”.
bilonebilo619.exe then creates a copy of itself in “C:\Users\[Username]\AppData\Local\mykemfpi\ufyqwfyv.exe”:
bilonebilo619.exe then creates a startup file at “C:\Users\[Username]\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ufyqwfyv.exe”:
bilonebilo619.exe then sets AutoStart registry key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UfyQwfyv”:
bilonebilo619.exe then sets AutoStart registry key “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit”:
Process “ufyqwfyv.exe” then creates another copy of itself file at “C:\Users\Win7 32bit\AppData\Local\Temp\ebqvhrfc.exe”:
Process “ebqvhrfc.exe” creates file “C:\Users\Win7 32bit\AppData\Local\Temp\lhxocmtw.exe”:
Process “svchost.exe” creates a .log file in “C:\ProgramData\cdprsxjy.log”:
Process “svchost.exe” then creates the .log file in %LocalAppData%:
Process “svchost.exe” creates process “tracert.exe” and process “tracert.exe” sets registry key “HKCU\Software\AppDataLow\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\Client”:
Network Based IOCs
Pre-infection:
- 52.52.18.181 – paremated-conproxy.com – GET /voluum/
- 52.9.71.23 – 15cen.redirectvoluum.com – GET /redirect
- 194.58.58.121 – GET /test3.php – Seamless gate
- 188.225.85.82 – IP literal hostname used by RIG EK
Post-infection via TCP port 443:
- 46.165.254.211 – fejbmscsuruiow.com
- 46.165.254.211 – anyaikyaeifcprlcrof.com
- 195.38.137.100 – edbvkjmr.com
- 194.87.94.11 – upwdodqrmjydqcys.com
- 87.106.190.153 – bmtnnkvm.com
DNS queries and responses:
Hashes
SHA256: 57438a61471d4da3550c8235dffd6836979057f0467e17d38887b1ad5b6c375d
File name: RigEK landing page.txt
SHA256: d0156d98de96e278938329e026c6992510e5931d13c7d36b3845e605c553661b
File name: RigEK Flash exploit.swf
SHA256: b793211fd7238fa5402a0bcdfb5a486dc31fd13b9bd58697ceb8328ab2cf6164
File name: bilonebilo619.exe
Hybrid-Analysis Report
Downloads
Malicious Artifacts 100417
Password is “infected”
References
A very detailed look at Ramnit:
Article Link: https://malwarebreakdown.com/2017/10/04/seamless-campaign-delivers-ramnit-banking-trojan-via-rig-ek/