# The Seamless Campaign Drops Ramnit. Follow-up Malware: AZORult Stealer, Smoke Loader, etc. **malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-** loader-etc/ July 24, 2017 Although there continues to be an overall decrease in EK activity I’m still seeing a decent [amount of malvertising leading to EKs. One campaign that I run into a lot is Seamless. It’s](https://umbrella.cisco.com/blog/blog/2017/03/29/seamless-campaign-delivers-ramnit-via-rig-ek/) like other malvertising campaigns in that much of the traffic originates from streaming video sites. These kinds of sites make good targets for threat actors as they get a lot of traffic and, more importantly, they often have poor advertising standards. The site I used for this infection chain is in Alexa’s top 900 global sites and top 800 for the United States. Further analysis reveals that the site received an estimated 13,970,000 visits over the last 30 days. That’s a lot of potential victims. Below is a very basic flowchart of the infection chain: ----- Below is a breakdown of each of the events leading to the Seamless campaign and then to RIG EK. ----- Syndication.exdynsrv.com returns a 302 Found and points to a new location at tqbeu.voluumtrk.com. This subdomain uses Voluum’s web analytics system to collect statistical data. We then see a GET request for a resource located at tqbeu.voluumtrk.com. The server responds with 302 Found and points to the Seamless infrastructure at 194[.]58[.]38[.]50/usa: 194[.]58[.]38[.]50/usa redirects to 194[.]58[.]38[.]50/usa/: ----- JavaScript gets the time zone information from the user: Time zone information is POSTed back to the server. The server responds with script that redirects the host back to another resource located at tqbeu.voluumtrk.com: ----- Traffic is being filtered at this point, with unwanted traffic being redirected to benign sites that break the infection chain. Continuing with the infection chain we see tqbeu.voluumtrk.com redirect to tqbeu.redirectvoluum.com: This time the URL contains some Base64 encoded data, which decodes to the Seamless gate: The Seamless gate returns an iframe containing the location of the RIG EK landing page: Seamless continues to drop Ramnit (qzsn3aad.exe found in %TEMP%) via RIG EK. Postinfection Ramnit traffic shows DNS queries for DGA domains: ----- Active C2 traffic via TCP port 443: 185.118.65.143 – hdyejdn638ir8.com 46.17.44.131 – eppixrakqeueuttiuvi.com 185.159.129.127 and 194.58.112.174 – tmgmgjcvt.com After the initial malware payload dropped I decided to restart my host and noticed additional downloads for “satbin.exe” (AKA V3.exe and javasch.exe), “AU2_EXEsd.exe” and “Loader.exe” (AKA Lw321.exe), which were all located at steelskull[.]com. Steelskull.com, created on 11/16/2015, appears to be a hacked site that sells steel Biker jewelry in the shape of skulls. Below is an image of the GET and POST requests associated with the malvertising chain, RIG EK activity, additional downloads, and the post-infection traffic: ----- The first GET request for additional files after I restarted my host was for satbin.exe. Running satbin.exe (AKA V3.exe and javasch.exe) generated POST requests to 103.253.27.234/teststeal/gate.php. The User-Agent used during these POST requests was “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET _CLR 2.0.50727).” We can also see it using api.ipify.org to grab the host external IP address._ Further research shows that satbin.exe (AKA V3.exe – found in %LOCALAPPDATA% and javasch.exe – found in %APPDATA%) dropped javasch.js in %APPDATA%: ----- Opening javasch.js.txt in Notepad++ shows a lot of garbage, however, switching the language to JavaScript quickly reveals the real code: Credit to my friend “IRDivision” Login panel: ----- The second GET request for additional files after I restarted my host was [for AU2_EXEsd.exe, which was identified by @Antelox (thanks again!) as AZORult Stealer.](https://twitter.com/Antelox) Logo for AZORult Stealer Post-infection traffic caused by AZORult shows POST requests to parkingservices.us/gate.php, which currently resolves to 185.100.222.41. Login panel: ----- Below is a list of capabilities offered by AZORult Stealer. _Steals saved passwords from following programs (Browsers, Email, FTP, IM):_ _Google Chrome_ _Google Chrome x64_ _YandexBrowser_ _Opera_ _Mozilla Firefox_ _InternetMailRu_ _ComodoDragon_ _Amigo_ _Bromium_ _Chromium_ _Outlook_ _Thunderbird_ _Filezilla_ _Pidgin_ _PSI_ _PSI Plus_ _Steals cookies from browsers and forms (form history, autofill):_ _Google Chrome_ _Google Chrome x64_ _YandexBrowser_ _Opera_ _Mozilla Firefox_ _InternetMailRu_ _ComodoDragon_ _Amigo_ _Bromium_ _Chromium_ _Bitcoin client’s files_ _Collects wallet.dat files from popular bitcoin clients (bitcoin, litecoin, etc)_ _Skype message history_ _Grabs files from chat history. Files are read with special utilities._ _Desktop files grabber_ ----- _Collects files with specified extensions from Desktop. Filter by file size. Recursively_ _searches files in folders._ _List of installed programs_ _List of running processes_ _Username, computer name, OS, RAM_ Images taken from forums: ----- ----- AZORult sample reversed by Vitali Kremez: [http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html](http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html) The third download was for Loader.exe (AKA Lw321.exe), which was identified by Hybrid[Analysis and @Antelox as Smoke Loader. Post-infection traffic from this sample shows](https://twitter.com/Antelox) POST requests to zabugrom.bit/smk2/ – resolving to 109.169.89.50. Additional Pictures of the File System After Infection ----- ----- IOCs 52.52.15.205 – tqbeu.voluumtrk.com 54.183.53.133 – tqbeu.redirectvoluum.com 194.58.38.50 – Seamless campaign 194.58.58.70 – GET /signup4.php – Seamless gate 188.225.87.49 – RIG EK 185.118.65.143 – hdyejdn638ir8.com – Ramnit C2 46.17.44.131 – eppixrakqeueuttiuvi.com – Ramnit C2 185.159.129.127 and 194.58.112.174 – tmgmgjcvt.com – Ramnit C2 46.105.57.169 – steelskull.com – Hacked site serving up malware 185.100.222.41 – parking-services.us – POST /gate.php – AZORult stealer 103.253.27.234 – POST /teststeal/gate.php 109.169.89.50 – zabugrom.bit – POST /smk2/ – Smoke Loader Hashes [SHA256: 83df67f6fcec4015d345684e31773eb3488295703de09306eadf34fe3bc0b420](https://www.virustotal.com/en/file/83df67f6fcec4015d345684e31773eb3488295703de09306eadf34fe3bc0b420/analysis/1500852884/) File name: RIG EK landing page at 188.225.87.49.txt [SHA256: 5aa4502dc361d3d913ea5443c15e59831bc1db3b696f0d5347442744b36e957b](https://www.virustotal.com/en/file/5aa4502dc361d3d913ea5443c15e59831bc1db3b696f0d5347442744b36e957b/analysis/1500852872/) File name: Flash exploit from RIG EK at 188.225.87.49.swf [SHA256: e98a80523922ac53858990234332cb9ba4c74ee4d3e2c5764d4d7b1fb7f84e10](https://www.virustotal.com/en/file/e98a80523922ac53858990234332cb9ba4c74ee4d3e2c5764d4d7b1fb7f84e10/analysis/) File name: o32.tmp [SHA256: 7c73071a01fd77c06e43f4500201cd2eb20991bbb4116ae47e07b6864ad0b58e](https://www.virustotal.com/en/file/7c73071a01fd77c06e43f4500201cd2eb20991bbb4116ae47e07b6864ad0b58e/analysis/) File name: qzsn3aad.exe [SHA256: babd9eb251ebebe53fda65c3d070200c1362b6d8cc619543b3d31c433d8608bb](https://www.virustotal.com/en/file/babd9eb251ebebe53fda65c3d070200c1362b6d8cc619543b3d31c433d8608bb/analysis/) File name: satbin.exe (AKA V3.exe and javasch.exe) [SHA256: cf3459cf29125101f5bea3f4206d8e43dbe097dd884ebf3155c49b276736f727](https://www.virustotal.com/en/file/cf3459cf29125101f5bea3f4206d8e43dbe097dd884ebf3155c49b276736f727/analysis/) File name: AU2_EXEsd.exe [SHA256: 0b5d583fd8b03e642707678800199d265bfea5563dbde982479222365af01d24](https://www.virustotal.com/en/file/0b5d583fd8b03e642707678800199d265bfea5563dbde982479222365af01d24/analysis/) File name: Loader.exe (AKA Lw321.exe) ----- Downloads [Password is “infected” – Malicious Artifacts.zip](https://malwarebreakdown.com/wp-content/uploads/2017/07/malicious-artifacts.zip) Until next time! ## Published by malwarebreakdown Just a normal person who spends their free time infecting systems with malware. View all posts by malwarebreakdown -----