Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer

Malware Analysis
1

Note: I took a bit of break, but I will try to get back to posting more regularly.

Today’s infection chain is a familiar one as it includes the Seamless campaign delivering Ramnit banking Trojan via RIG exploit kit. Below is an image of the infection chain, specifically the HTTP requests:

HTTP Requests Edited

The infection chain starts off with a normal site and some ad traffic. The HTTP request for ad traffic redirects to an XML feed serving ads. The XML feed returned a 302 Found, pointing to hxxp://flinsheer-perreene[.]com/voluum/:

We then see a series of 3XX redirects:

  • hxxp://flinsheer-perreene[.]com/voluum/ -> hxxp://194[.]58[.]38[.]57/usa via a 302 Found
  • hxxp://194[.]58[.]38[.]57/usa -> /usa/ via a 301 Moved Permanently

/usa/ returns the following JavaScript, which POST information back to /usa/:

Further breakdown of the code can be seen HERE.

Typically, it would be at this point that unwanted connections would be filtered out and redirected to a benign site, however I didn’t run any further test for verification.

The server returns a 200 OK and points to the next step in the redirection chain via window.location.href=hxxp://flinsheer-perreene[.]com/voluum/cebddddb-0f28-4087-99c3-690fa79f4804??track=48tmsGdksmgj383P=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The response to that request is shown below:

We see a meta refresh, redirecting to hxxp://kcsmj[.]redirectvoluum[.]com:80/redirect?target=BASE64aHR0cDovLzE5NC41OC40MC4xOTMvdGVzdDIyLnBocA&ts=xxxxxxxxxxxxx&hash=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&rm=x after 0 seconds (bolded string in URI is Base64 encoded).

This redirect leads to another response containing one more meta refresh:

This meta refresh happens immediately, redirecting to hxxp://194[.]58[.]40[.]193/test22.php

test22.php returns an iframe that contains the RIG EK landing page at 188.225.82.158:

After this long redirection chain, RIG EK finally delivers Ramnit banking Trojan.

File System IOCs

The malware payload is placed in the user’s %TEMP% folder:

It also created a copy of itself in %LOCALAPPDATA%:

There is also a copy in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup for persistence:


Modifies auto-execute functionality by setting/creating values in the registry:


SETVAL; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "UfyQwfyv"; Value: "%LOCALAPPDATA%\mykemfpi\ufyqwfyv.exe"

SETVAL; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON"; Key: "USERINIT"; Value: "%WINDIR%\system32\userinit.exe,,%LOCALAPPDATA%\mykemfpi\ufyqwfyv.exe"

After restarting the machine there are two more copies of the malware placed in %TEMP%:

Temp 2

There was also a copy in %TEMP%\Low:

Temp Low

Entry for “Client” found in HKCU\Software\AppDataLow\:

Reg Client edited

Creates various .log files in %LOCALAPPDATA% and %PROGRAMDATA%:


If you looked at the %LOCALAPPDATA% image you might have noticed another executable file called “APITEM.EXE”. This malware payload ended up being AZORult stealer and it was download by my infected host after the initial system restart.

Some .tempcbss files created by AZORult are located in %TEMP%:

Temp 3

Network Based IOCs

After the system restart we could also see the DNS queries for Ramnit DGA domains:

DNS requests

Successful resolutions:

  • ngbclncfxjdsmmribt.com – 217.20.116.140
  • aujastmvehxqmlbb.com – 217.20.116.140
  • guaevvaxrujnobfytud.com – 194.87.145.189
  • kofeydncog.com – 87.106.190.153
  • sxkallpiiknswi.com – 87.106.190.153

Callback traffic for Ramnit:

  • 217.20.116.140:443
  • 194.87.145.189:443
  • 87.106.190.153:443

AZORult is a very nasty piece of malware. I’m hiding information about this sample since it could potentially cause sensitive information to be leaked.

Below is an image of the GET request for AZORult:

Follow up malware edited

Note: Further analysis of the server delivering tutu.exe shows that it also hosting apis.exe and 1.exe. 1.exe was identified as Shade ransomware with Teamspy (aka TVRAT, TVSPY, and SpY-Agent) functionality. I might do separate write-ups on these samples, time permitting.

tutu.exe was downloaded using the UA string “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”, which is Internet Explorer 6 on Windows XP SP2.

AZORult was placed in %LOCALAPPDATA% and executed. Following the execution of the payload we see two POST requests:


Login panel:

login panel edited

Confirmation it is AZORult:

AZORult edited

Main page, passwords, and reports:



These threat actors have collected information on over 600+ victims in the last couple of days.

There are options for reporting, saved passwords (browsers, FTP, Email, and IM), Bitcoin client files, Skype db files, Steam files, Desktop files and CC.

The criminals are collecting and storing victim information in .zip files, named by the date and machine ID:

AZORult files edited

Information in the .zip file includes:

  • “Browsers” folder
    • “AutoComplete” subfolder contains .txt files for Chromium, Chrome, Firefox, etc.
    • “Cookies” subfolder contains similar files as the AutoComplete subfolder
  • CookieList.txt
  • IP.txt
  • Passwords.txt
  • SYSInfo.txt

These files contain the IP address and location of the compromised machine, saved passwords, system information (Machine ID, file path of the malware – .exe or .dll, Operating System information, computer name, username, CPU information, total RAM, GPU information, system processes currently running, programs currently installed), and information used by browsers.

Due to security reasons, I will not be giving out certain samples to the public.

IOCs from Infection
  • 52.8.143.12 – flinsheer-perreene.com – GET /voluum/
  • 194.58.38.57 – GET /usa and /usa/ – POST /usa/
  • 52.8.229.123 – kcsmj.redirectvoluum.com – GET /redirect?target=BASE64
  • 194.58.40.193 – GET /test22.php
  • 188.225.82.158 – IP literal hostname used by RIG EK
  • 217.20.116.140:443 – ngbclncfxjdsmmribt.com – Ramnit
  • 217.20.116.140:443 – aujastmvehxqmlbb.com – Ramnit
  • 194.87.145.189:443 – guaevvaxrujnobfytud.com – Ramnit
  • 87.106.190.153:443 – kofeydncog.com – Ramnit
  • 87.106.190.153:443 – sxkallpiiknswi.com – Ramnit
Bonus IOCs Collected During My Research
  • 85.17.29.101:80 – GET /stats/update.php?id=283233394&stat=8f995f306c06b63c100b05fdd300f962 – ET TROJAN Win32.Spy/TVRat/Shade Ransomware Checkin
    • Uses UA string “Mozilla/5.0 (Windows NT 5.1)”
  • 5.79.66.227:443 – Collected from apis.exe sample
Hashes From Infection

SHA256: be28a10416523b9ed143f99a1153f3530565a885c5b7dfa271ebad5a31ff0fb2
File name: RigEK 188.225.82.158 landing page.txt

SHA256: 4f8ee603630bbcc55b33b2c95347fe51d1dbc50531ece60b9f15050aa1119339
File name: RigEK 188.225.82.158 Flash exploit.swf

SHA256: 5c0a56406bd98c4da687fe7bc95d0d0ca271ad38bc394e8f6c4f5ef1c47277d7
File name: o32.tmp

Bonus Hashes – Malware Found on Server Hosting AZORult

SHA256: cc95870ebece2838ff9b2b8129386f015ea80d497a6c26127c9bd7abc588f2ea
File name: 1.exe
Hybrid-Analysis Report

SHA256: 35408635b78a61972dd48935fbbeb1fce067615c3cebf4498472252fbf893914
File name: apis.exe
Hybrid-Analysis Report

Downloads

Artifacts from the infection and bonus malware samples.zip

Password is “infected”

Until next time!

Additional Reference for Ramnit:
https://www.cert.pl/news/single/ramnit-doglebna-analiza/ (original source)
https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/ (English version)

Article Link: https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/