2017-12-28 - SEAMLESS CAMPAIGN CONTINUES USING RIG EK TO SEND RAMNIT BANKING TROJAN

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-12-28-Seamless-campaign-Rig-EK-sends-Ramnit.pcap.zip   1.0 MB (1,043,770 bytes)

• 2017-12-28-Seamless-campaign-Rig-EK-sends-Ramnit.pcap   (1,184,893 bytes)

• 2017-12-28-Seamless-campaign-Rig-EK-malware-and-artifacts.zip   166.8 kB (166,820 bytes)

• 2017-12-28-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)
• 2017-12-28-Rig-EK-flash-exploit.swf   (12,188 bytes)
• 2017-12-28-Rig-EK-landing-page.txt   (96,421 bytes)
• 2017-12-28-Rig-EK-payload-Seamless-campaign-Ramnit-bilo400.exe   (165,888 bytes)

NOTES:

• Although Rig exploit kit (EK) is still active, I haven't bothered posting anything in recent months, because it really hasn't changed much.
• For example, the Seamless campaign is still using Rig EK to push the Ramnit banking Trojan.
• Thanks to @nao_sec for the various tweets and documentation at traffic.moe on recent Rig EK activity.
• Also thanks to @DynamicAnalysis, @BroadAnalysis, and @Zerophage1337, who have posted pcaps of Rig EK traffic on their respective blogs.
• Finally, thanks to others like @jeromesegura, @cyber_attacks, @VK_Intel, and @thlnk3r who have tweeted or published information about Rig EK in recent months.

 

DOCUMENTATION ON THE SEAMLESS CAMPAIGN:

• 2017-05-11 - ISC Diary - Seamless Campaign using Rig Exploit Kit to send Ramnit Trojan
• 2017-05-17 through 2017-11-12 - Malware Breakdown - various blog posts on the Seamless campaign
• 2017-06-02 - Malware-Traffic-Analysis.net - Seamless campaign continues using Rig EK to send Ramnit
• 2017-08-25 - Malware-Traffic-Analysis.net - Seamless campaign Rig EK sends Ramnit
• 2017-12-04 - MalwareBytes blog - Seamless campaign serves RIG EK via Punycode
• 2017-12-25 - traffic.moe - Seamless->RigEK->Ramnit

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 178.21.10[.]68 port 80 - 178.21.10[.]68 - GET /444.php   (redirector used in Seamless campaign)
• 176.57.214[.]103 port 80 - 176.57.214[.]103 - Rig EK
• 198.105.244[.]228 port 443 - attempted TCP connections caused by Ramnit
• Attempted connectivity checks to google.com caused by Ramnit
• 194.97.109.[1]08 port 443 - Ramnit post-infection traffic
• Various DNS requests for DGA-style domains caused by Ramnit

 

Shown above:  One of the TCP streams for the Ramnit post-infection traffic.

 

FILE HASHES

RIG EK FLASH EXPLOIT:

• SHA256 hash:  1559f7077fd5540f4c5e882134b57f3dc02091d49597b0c8a8c963908209ab15
• File size:  12,188 bytes

MALWARE PAYLOAD SENT BY RIG EK (RAMNIT FROM THE SEAMLESS CAMPAIGN):

• SHA256 hash:  08875f1b26f8cdaa139402559d6716dba973c8f9449decb19343fbf24a58d11f
• File size:  165,888 bytes
• File location:  C:\Users\[username]\AppData\Local\Temp\bilo400.exe
  
• File location:  C:\Users\[username]\AppData\Local\Temp\evbxwuhh.exe
  
• File location:  C:\Users\[username]\AppData\Local\Temp\lciqusvc.exe
  
• File location:  C:\Users\[username]\AppData\Local\Temp\omrwevtw.exe
  
• File location:  C:\Users\[username]\AppData\Local\Temp\uajsplbe.exe
  
• File location:  C:\Users\[username]\AppData\Local\mtrgfirn\uajsplbe.exe

 

IMAGES

Shown above:  Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

Shown above:  Some alerts on the infection traffic from the Snort subscriber ruleset when reading the pcap with Snort 2.9.11.

 

Shown above:  Ramnit banking Trojan made persistent on the infected Windows host.

 

Click here to return to the main page.