Seamless Campaign Uses RIG EK to Deliver More Ramnit

Malware Analysis
1

Over the weekend I went hunting for malvertising campaigns hoping to find something other than Seamless. However, on both Saturday (run 1 on 02-24-18) and Sunday (run 2 on 02-25-18), I ended up finding myself the victim of a Ramnit infection, courtesy of the Seamless campaign and RIG EK. I don’t have any hard data but Seamless appears to be dominating the malvertising landscape ever since the decline of HookAds.

Run 1:

Fiddler Traffic Run 1 (Edited)

This traffic is similar to what I wrote about on 02-21-18. The Seamless campaign was using LiberTex.one, which had been mirrored from LiberTex.org (legitimate site) on 02-08-18. The only change from my previous post was that the gate redirector was now located in the directory /pert/.

Run 2:

Fiddler Traffic Run 2 (Edited)

The threat actors started using IqOption.ink on 02-25-18 as the Seamless pre-gate. This site was mirrored from IqOption.com. Mirroring legitimate sites and using a different TLD seems to be a trend.

Next, we see the use of these domains for redirects:

  • RessAndy-ActorsIon.com (Created on 01-27-18)
  • Redirect.LiberTex.tech (Created on 02-09-18)

The last big change was the use of a Punycode for the Seamless gate again:

  • xn--80acvhc3abphaf7h.xn--p1ai
    • Руультрабуки.рф (Created on 01-28-18)

punycode Seamless gate

Both times Seamless used RIG EK to deliver Ramnit banking Trojan.

 

Network IOCs

Run 1:

  • 31.31.196.81 – libertex.one – GET or POST /index.php – Seamless pre-gate
  • 13.57.167.218 – distan-kenques.com – GET /voluum/ – Redirect
  • 52.9.239.9 – redirect.distan-kenques.com – GET /redirect – Redirect
  • 31.31.196.248 – gavkingate.info – GET /pert/gav[1-5].php – Seamless gate
  • 188.225.25.254 – IP literal hostname used by RIG EK

Run 2:

  • 31.31.196.133 – iqoption.ink – GET or POST /index.php – Seamless pre-gate
  • 54.241.218.224 – ressandy-actorsion.com – GET /voluum/ – Redirect
  • 54.193.238.254 – redirect.libertex.tech – GET /redirect – Redirect
  • 31.31.196.186 – xn--80acvhc3abphaf7h.xn--p1ai – GET/gav2.php – Seamless gate
  • 188.225.25.237 – IP literal hostname used by RIG EK

Ramnit DNS Queries/Responses:

  • rgmayedyahatevqyuc.com – 217.20.116.146
  • jauybjisqwnoscjtwiu.com – 194.87.109.248
  • lmfdaoefn.com – 217.20.116.146
  • eobqwmqykyyk.com – 89.185.44.100
  • naposwgfbt.com – 208.100.26.251
  • grojjpof.com – 87.106.190.153
  • yyygshsshssjhsiheush.com
  • hfltolixcdquc.com
  • twdqbwjwoygiwanqqb.com
  • dmfvkcsyddmelo.com
  • dqemqcbxgofddopclb.com
  • yfguxadqq.com
  • upvuyweywb.com
  • mpiknurw.com
  • wdjteqklfjt.com
  • wloinopvxjdsocgopo.com
  • ijepobey.com

TCP Connections:

  • 217.20.116.146:443
  • 194.87.109.248:443
  • 89.185.44.100:443
  • 208.100.26.251:443
  • 87.106.190.153:443

 

Hashes

Run 1:

SHA256: eaa97a7e22df35d9fc87a3b3c9b49ba5f2460c53cc7d177dea70d51758988c36
File name: RigEK Landing Page.txt

SHA256: 31dd72ddb97c96aa0a2f179286e40b22af79486f65dbd94cf1cd08fc50ecef9f
File name: RigEK Flash Exploit.swf

SHA256: 471aa6d794fc8981f1a8814203434df437e8f942bde4a4951f39b682796e31e3
File name: b46.exe
Hybrid-Analysis Report

Run 2:

SHA256: c38de21dbb486a357276f1a7859535a275522ac152e7712acef8a921dc625df2
File name: RigEK Landing Page.txt

SHA256: 31dd72ddb97c96aa0a2f179286e40b22af79486f65dbd94cf1cd08fc50ecef9f
File name: RigEK Flash Exploit.swf

SHA256: ea06beda51b79f58b876b3dac266ec2c30ccedcfb9ea2cc16004298d125f6033
File name: b40.exe
Hybrid-Analysis Report

 

Samples

Malware Samples – Seamless RigEK Ramnit 022418 – 022518.zip

Password is “infected”

Article Link: https://malwarebreakdown.com/2018/02/26/seamless-campaign-uses-rig-ek-to-deliver-more-ramnit/