Malware-Traffic-Analysis.net - 2018-02-12 - Seamless campaign continues using Rig EK to send Ramnit

2018-02-12 - SEAMLESS CAMPAIGN USING RIG EK TO SEND RAMNIT

ASSOCIATED FILES:

Zip archive of the pcap: 2018-02-12-Seamless-campaign-Rig-EK-pcaps.zip 486 kB (486,032 bytes)

2018-02-12-Seamless-campaign-Rig-EK-1st-run.pcap (294,386 bytes)

2018-02-12-Seamless-campaign-Rig-EK-2nd-run.pcap (259,317 bytes)

Zip archive of the artifacts and malware: 2018-02-28-Seamless-campaign-Rig-EK-artifacts-and-malware.zip 296 kB (296,202 bytes)

2018-02-12-Rig-EK-artifact-u32.tmp.txt (1,141 bytes)

2018-02-12-Rig-EK-flash-exploit.swf (13,174 bytes)

2018-02-12-Rig-EK-landing-page-1st-run.txt (95,694 bytes)

2018-02-12-Rig-EK-landing-page-2nd-run.txt (95,634 bytes)

2018-02-12-Seamless-campaign-Rig-EK-payload-Ramnit-1st-run.exe (186,368 bytes)

2018-02-12-Seamless-campaign-Rig-EK-payload-Ramnit-2nd-run.exe (186,368 bytes)

SOME DOCUMENTATION ON THE SEAMLESS CAMPAIGN:

2017-03-29 - Cisco Umbrella Blog - 'Seamless' campaign delivers Ramnit via Rig EK
2017-05-11 - ISC Diary - Seamless Campaign using Rig Exploit Kit to send Ramnit Trojan
2017-05-17 through 2018-01-16 - Malware Breakdown - various blog posts on the Seamless campaign
2017-06-02 - Malware-Traffic-Analysis.net - Seamless campaign continues using Rig EK to send Ramnit
2017-08-25 - Malware-Traffic-Analysis.net - Seamless campaign Rig EK sends Ramnit
2017-09-07 through 2017-11-10 - Broadanalysis.com - various blog posts titled: Rig Exploit Kit via Seamless malvertising delivers Ramnit banking malware
2017-12-04 - MalwareBytes blog - Seamless campaign serves RIG EK via Punycode
2017-12-25 - traffic.moe - Seamless->RigEK->Ramnit
2018-01-02 - www.nao-sec.org - Analyzing Ramnit used in Seamless campaign
2018-01-09 - traffic.moe - Seamless->RigEK->Ramnit
2018-01-25 - traffic.moe - Seamless->RigEK->Ramnit
2018-01-26 - traffic.moe - Seamless->RigEK->Ramnit
2018-01-29 - Malware-Traffic-Analysis.net - Three days of Seamless campaign Rig EK pushing Gandcrab ransomware
2018-01-30 - traffic.moe - Seamless->RigEK->Ramnit

WEB TRAFFIC BLOCK LIST

Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains:

bugi1man.info
hshshshsussiiwuwyw.com
chceoqemftwldiucf.com
ghnsonrgujyymhvvg.com
swwqmpjpvdbxsjos.com
usrfyjueaneumqx.com
gjvublwgk.com
ejnpulri.com

ahghbjoutgpituoybn.com
bnibihajibsrqvycxv.com
cakmbyctbvnnadmly.com
eakrbfndtxvub.com
ejnpulri.com
fpbagtcbmcdcyeu.com
qdxbgtalumvj.com
rikbrsqoyjjpb.com
sxavjnfrwwrq.com
toersratxvnjtsaqdp.com
tykjmixnmdpcukb.com
ufylrewmo.com
uwyarxuxharsm.com
wqxufotucvawktbqx.com
xeanmjcieuxgr.com

TRAFFIC

Shown above: Infection traffic in Wireshark (1st pcap).

INFECTION TRAFFIC:

31.31.196.81 port 80 - bugi1man.info - GET /gav3.php (Seamless gate)
188.225.56.169 port 80 - 188.225.56.169 - Rig EK (1st run)
92.53.127.115 port 80 - 92.53.127.115 - Rig EK (2nd run)
Attempted connections to google.com
194.87.92.204 port 443 - hshshshsussiiwuwyw.com - Attempted TCP connections but RST from server
194.87.146.72 port 443 - chceoqemftwldiucf.com - Ramnit post-infection traffic
208.100.26.251 port 443 - ghnsonrgujyymhvvg.com - Ramnit post-infection traffic
217.20.116.145 port 443 - swwqmpjpvdbxsjos.com - Ramnit post-infection traffic
217.20.116.145 port 443 - usrfyjueaneumqx.com - Ramnit post-infection traffic
87.106.190.153 port 443 - gjvublwgk.com - Ramnit post-infection traffic
89.185.44.100 port 443 - ejnpulri.com - Ramnit post-infection traffic
195.22.26.248 port 443 - ejnpulri.com - Ramnit post-infection traffic