Seamless Campaign Uses RIG EK to Deliver Ramnit

Originally posted at
Follow me on Twitter

It didn’t take me long to get the redirections that I had gone hunting for. Below is an edited image taken of the redirection chain:

Flowchart of the redirection chain:

One thing to note,, which is currently resolving to (Russian) and was registered on 02/07/2018, was mirrored from by “HTTrack Website Copier” on February 8th, 2018. The IP address has been used to host other Seamless gates and is worth an IP block.

Some other registrant information:

Attribute Value
Registrar Key-Systems LLC
Email [email protected]
Name Bjakas Raka
Organization Maka Puka
Phone 5553673755
NameServers and

Pivoting off [email protected] shows the following domains:

Domain Registered On 2/7/2018 11/13/2017 9/21/2017 9/19/2017 9/18/2017 9/18/2017 9/18/2017 9/15/2017 9/15/2017 9/15/2017 9/13/2017 9/13/2017 9/13/2017 9/13/2017 9/13/2017 9/13/2017 9/13/2017 9/13/2017 9/13/2017 9/13/2017 9/13/2017 8/31/2017

Googling these domains returns samples, from various sources, seen making DNS queries. Those queries are associated with the DGA used by Ramnit.

The next domains used by the threat actors were and These were first seen on 02/19/2018. Lastly, we see the request for Seamless gate 3 being hosted at The response from the gate contains an iframe pointing to the RIG EK landing page:

File System IOCs

The payload was downloaded and detonated in %Temp%:

Copy is found in a folder located at %LocalAppData%:

.Log files created in %LocalAppData%:

LocalAppData .log files

.Log file created in %ProgramData%:

Copies itself into %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\ for persistence:

Registry IOCs

Network IOCs

HTTP Traffic: – – GET and POST /index.php – – GET /voluum/ – – GET /redirect – – GET /gav3.php – Seamless gate – IP literal hostname used by RIG EK

DNS Queries: ( ( ( ( ( ( (

TCP Connections:


SHA256: f21bb91150171e23b8dfc21fb52160d28d008039fdffe9ab26b48bac7a95a782
File name: RigEK Landing Page.txt

SHA256: 3e7aa5487ab1f2dc7e811e605aa60cea072d3067ca121baa9a77074b12519d67
File name: RigEK Flash Exploit.swf

SHA256: 14ca4a614156e924d077e1bf6709cd24796a1ddc92aa1ac9c0b85103fea943bd
File name: b4.exe
Hybrid-Analysis Report


Password is “infected”


  2. (original source)
  3. (English version)

Article Link: