# Seamless Campaign Delivers Ramnit via RIG EK at 188.225.82.158. Follow-up Malware is AZORult Stealer. **[malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/](https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/)** November 12, 2017 _Note: I took a bit of break, but I will try to get back to posting more regularly._ Today’s infection chain is a familiar one as it includes the Seamless campaign delivering Ramnit banking Trojan via RIG exploit kit. Below is an image of the infection chain, specifically the HTTP requests: The infection chain starts off with a normal site and some ad traffic. The HTTP request for ad traffic redirects to an XML feed serving ads. The XML feed returned a 302 Found, pointing to hxxp://flinsheer-perreene[.]com/voluum/: We then see a series of 3XX redirects: hxxp://flinsheer-perreene[.]com/voluum/ -> hxxp://194[.]58[.]38[.]57/usa via a 302 Found hxxp://194[.]58[.]38[.]57/usa -> /usa/ via a 301 Moved Permanently /usa/ returns the following JavaScript, which POST information back to /usa/: ----- [Further breakdown of the code can be seen HERE.](https://malwarebreakdown.com/2017/09/19/seamless-malvertising-campaign-leads-to-rig-ek-and-drops-ramnit-follow-up-malware-is-azorult-stealer/) Typically, it would be at this point that unwanted connections would be filtered out and redirected to a benign site, however I didn’t run any further test for verification. The server returns a 200 OK and points to the next step in the redirection chain via window.location.href=hxxp://flinsheerperreene[.]com/voluum/cebddddb-0f28-4087-99c3-690fa79f4804??track=48tmsGdksmgj383P=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx The response to that request is shown below: ----- We see a meta refresh, redirecting to hxxp://kcsmj[.]redirectvoluum[.]com:80/redirect? target=BASE64aHR0cDovLzE5NC41OC40MC4xOTMvdGVzdDIyLnBocA&ts=xxxxxxxxxxxxx&hash=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx after 0 seconds (bolded string in URI is Base64 encoded). This redirect leads to another response containing one more meta refresh: This meta refresh happens immediately, redirecting to hxxp://194[.]58[.]40[.]193/test22.php test22.php returns an iframe that contains the RIG EK landing page at 188.225.82.158: ----- After this long redirection chain, RIG EK finally delivers Ramnit banking Trojan. File System IOCs The malware payload is placed in the user’s %TEMP% folder: It also created a copy of itself in %LOCALAPPDATA%: There is also a copy in %APPDATA%MicrosoftWindowsStart MenuProgramsStartup for persistence: ----- Modifies auto-execute functionality by setting/creating values in the registry: ``` SETVAL; Path: "HKCUSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN"; Key: "UfyQwfyv"; Value: "%LOCALAPPDATA%mykemfpiufyqwfyv.exe" SETVAL; Path: "HKLMSOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONWINLOGON"; Key: "USERINIT"; Value: "%WINDIR%system32userinit.exe,,%LOCALAPPDATA%mykemfpiufyqwfyv.exe" ``` After restarting the machine there are two more copies of the malware placed in %TEMP%: ----- There was also a copy in %TEMP%Low: Entry for “Client” found in HKCUSoftwareAppDataLow: Creates various .log files in %LOCALAPPDATA% and %PROGRAMDATA%: ----- If you looked at the %LOCALAPPDATA% image you might have noticed another executable file called “APITEM.EXE”. This malware payload ended up being AZORult stealer and it was download by my infected host after the initial system restart. Some .tempcbss files created by AZORult are located in %TEMP%: Network Based IOCs After the system restart we could also see the DNS queries for Ramnit DGA domains: ----- Successful resolutions: ngbclncfxjdsmmribt.com – 217.20.116.140 aujastmvehxqmlbb.com – 217.20.116.140 guaevvaxrujnobfytud.com – 194.87.145.189 kofeydncog.com – 87.106.190.153 sxkallpiiknswi.com – 87.106.190.153 Callback traffic for Ramnit: 217.20.116.140:443 194.87.145.189:443 87.106.190.153:443 Below is an image of the GET request for AZORult: _[Note: Further analysis of the server delivering tutu.exe shows that it’s also hosting apis.exe and](https://www.virustotal.com/en/file/35408635b78a61972dd48935fbbeb1fce067615c3cebf4498472252fbf893914/analysis/)_ _[1.exe. 1.exe was identified as Teamspy (aka](https://www.virustotal.com/en/file/cc95870ebece2838ff9b2b8129386f015ea80d497a6c26127c9bd7abc588f2ea/analysis/)_ _[TVRAT, TVSPY, and SpY-Agent) and apis.exe was identified as DarkVNC (Thanks to @Antelox for identifying the payloads).](https://twitter.com/Antelox)_ tutu.exe was downloaded using the UA string “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”, which is Internet Explorer 6 on Windows XP SP2. AZORult was placed in %LOCALAPPDATA% and executed. Following the execution of the payload we see two POST requests: ----- Login panel: Confirmation it is AZORult: ----- Main page, passwords, and reports: ----- These threat actors have collected information on over 600+ victims in the last couple of days. There are options for reporting, saved passwords (browsers, FTP, Email, and IM), Bitcoin client files, Skype db files, Steam files, Desktop files and CC. The criminals are collecting and storing victim information in .zip files, named by the date and machine ID: Information in the .zip file includes: “Browsers” folder “AutoComplete” subfolder contains .txt files for Chromium, Chrome, Firefox, etc. “Cookies” subfolder contains similar files as the AutoComplete subfolder CookieList.txt IP.txt Passwords.txt SYSInfo.txt These files contain the IP address and location of the compromised machine, saved passwords, system information (Machine ID, file path of the malware – .exe or .dll, Operating System information, computer name, username, CPU information, total RAM, GPU information, system processes currently running, programs currently installed), and information used by browsers. Due to security reasons, I will not be giving out certain samples to the public. IOCs from Infection 52.8.143.12 – flinsheer-perreene.com – GET /voluum/ 194.58.38.57 – GET /usa and /usa/ – POST /usa/ 52.8.229.123 – kcsmj.redirectvoluum.com – GET /redirect?target=BASE64 194.58.40.193 – GET /test22.php 188.225.82.158 – IP literal hostname used by RIG EK 217.20.116.140:443 – ngbclncfxjdsmmribt.com – Ramnit 217 20 116 140:443 aujastmvehxqmlbb com Ramnit ----- 9 8 5 89 3 guae a uj ob ytud co a t 87.106.190.153:443 – kofeydncog.com – Ramnit 87.106.190.153:443 – sxkallpiiknswi.com – Ramnit Bonus IOCs Collected During My Research 85.17.29.101:80 – GET /stats/update.php?id=283233394&stat=8f995f306c06b63c100b05fdd300f962 – ET TROJAN Win32.Spy/TVRat/Shade Ransomware Checkin Uses UA string “Mozilla/5.0 (Windows NT 5.1)” 5.79.66.227:443 – Collected from apis.exe sample Hashes From Infection [SHA256: be28a10416523b9ed143f99a1153f3530565a885c5b7dfa271ebad5a31ff0fb2](https://www.virustotal.com/en/file/be28a10416523b9ed143f99a1153f3530565a885c5b7dfa271ebad5a31ff0fb2/analysis/1510439368/) File name: RigEK 188.225.82.158 landing page.txt [SHA256: 4f8ee603630bbcc55b33b2c95347fe51d1dbc50531ece60b9f15050aa1119339](https://www.virustotal.com/en/file/4f8ee603630bbcc55b33b2c95347fe51d1dbc50531ece60b9f15050aa1119339/analysis/1510439375/) File name: RigEK 188.225.82.158 Flash exploit.swf [SHA256: 5c0a56406bd98c4da687fe7bc95d0d0ca271ad38bc394e8f6c4f5ef1c47277d7](https://www.virustotal.com/en/file/5c0a56406bd98c4da687fe7bc95d0d0ca271ad38bc394e8f6c4f5ef1c47277d7/analysis/) File name: o32.tmp Bonus Hashes – Malware Found on Server Hosting AZORult [SHA256: cc95870ebece2838ff9b2b8129386f015ea80d497a6c26127c9bd7abc588f2ea](https://www.virustotal.com/en/file/cc95870ebece2838ff9b2b8129386f015ea80d497a6c26127c9bd7abc588f2ea/analysis/) File name: 1.exe [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/cc95870ebece2838ff9b2b8129386f015ea80d497a6c26127c9bd7abc588f2ea?environmentId=100) [SHA256: 35408635b78a61972dd48935fbbeb1fce067615c3cebf4498472252fbf893914](https://www.virustotal.com/en/file/35408635b78a61972dd48935fbbeb1fce067615c3cebf4498472252fbf893914/analysis/) File name: apis.exe [Hybrid-Analysis Report](https://www.hybrid-analysis.com/sample/35408635b78a61972dd48935fbbeb1fce067615c3cebf4498472252fbf893914?environmentId=100) Downloads [Artifacts from the infection and bonus malware samples.zip](https://malwarebreakdown.com/wp-content/uploads/2017/11/Malware-samples.zip) Password is “infected” Until next time! Additional Reference for Ramnit: [https://www.cert.pl/news/single/ramnit-doglebna-analiza/ (original source)](https://www.cert.pl/news/single/ramnit-doglebna-analiza/) [https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/ (English version)](https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/) ## Published by malwarebreakdown [Just a normal person who spends their free time infecting systems with malware. View all posts by malwarebreakdown](https://malwarebreakdown.wordpress.com/author/malwarebreakdown/) -----