2017-06-02 - SEAMLESS CAMPAIGN CONTINUES USING RIG EK TO SEND RAMNIT

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-06-02-Seamless-Rig-EK-sends-Ramnit-pcaps.zip   2.0 MB (2,028,248 bytes)

• 2017-06-02-Seamless-Rig-EK-sends-Ramnit-1st-run.pcap   (1,309,272 bytes)
• 2017-06-02-Seamless-Rig-EK-sends-Ramnit-2nd-run.pcap   (1,070,828 bytes)

• ZIP archive of the malware and artifacts:  2017-06-02-Seamless-Rig-EK-sends-Ramnit-malware-and-artifacts.zip   257 kB (257,239 bytes)

• 2017-06-02-Rig-EK-landing-page-1st-run.txt   (26,904 bytes)
• 2017-06-02-Rig-EK-landing-page-2nd-run.txt   (26,901 bytes)
• 2017-06-02-Seamless-Rig-EK-payload-Ramnit-1st-run.exe   (162,816 bytes)
• 2017-06-02-Seamless-Rig-EK-payload-Ramnit-2nd-run.exe   (162,816 bytes)

NOTES:

• Thanks to @thlnk3r tweeting about a referer for Rig EK from the Seamless campaign.
• As @nao_sec reported earlier today, it appears Rig EK is no longer using Flash exploits starting sometime on 2017-06-01 (link).
• Don't know if this is temporary or permanent, but I've already set out the virtual tombstone.

 

SOME BACKGROUND ON THE SEAMLESS CAMPAIGN:

• 2017-03-29 - Cisco Umbrella Blog - 'Seamless' campaign delivers Ramnit via Rig EK
• 2017-05-11 - ISC Diary - Seamless Campaign using Rig Exploit Kit to send Ramnit Trojan
• 2017-05-17 - Malware Breakdown - Seamless Malvertising Campaign Leads to Rig EK at 185.154.53.33 and Drops Ramnit
• 2017-05-31 - Malware Breakdown - Seamless Campaign Still Redirecting to Rig EK and Dropping Ramnit

 

Shown above:  Tweet from @thlnk3r yesterday with a Seamless campaign URL.

 

TRAFFIC

Shown above:  Traffic from the 1st run filtered in Wireshark.

 

Shown above:  Traffic from the 2nd run filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 81.177.165.194 port 80 - 81.177.165.194 - Rig EK (1st run)
• 5.101.77.64 port 80 - free.crystallandis.com - Rig EK (2nd run)
• 188.93.211.166 port 443 - atw82ye63ymdp.com - HTTPS/SSL/TLS traffic caused by Ramnit
• Attempted connectivity checks to google.com
• Scans to other IP addresses internally (10.6.0.0/16) targeting TCP ports 110 (POP3) and 139 (NBNS)

 

FILE HASHES

MALWARE PAYLOAD (RAMNIT) - 1ST RUN:

• SHA256 hash:  1cec6181f1959c0f74b97ccefc9506b9447061d970dabc5c7e0688e9547b71a2
• File size:  162,816 bytes
• File location:  C:\Users\[username]\AppData\Local\Temp\[random numbers and letters].exe

MALWARE PAYLOAD (RAMNIT) - 2ND RUN:

• SHA256 hash:  c9907e55f0d5592ff335d35708baeb186e11300df90aa3aef1a142344ecc493f
• File size:  162,816 bytes
• File location:  C:\Users\[username]\AppData\Local\Temp\[random numbers and letters].exe

 

OTHER IMAGES

Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-06-02-Seamless-Rig-EK-sends-Ramnit-pcaps.zip   2.0 MB (2,028,248 bytes)
• ZIP archive of the malware and artifacts:  2017-06-02-Seamless-Rig-EK-sends-Ramnit-malware-and-artifacts.zip   257 kB (257,239 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.