Rig Exploit Kit via Seamless malvertising delivers Ramnit banking malware

NOTES

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-09-07-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 34.197.246.200 – 15cen.redirectvoluum.com – Seamless associated redirect
  • 194.58.40.7 – GET /lol1.php – Redirect to Rig EK
  • 188.225.82.139 – Rig EK Landing Page
  • 194.87.94.52 – ghegwkspdappp.com – Ramnit C2
  • 194.87.99.160 – tcp Port 443 – Syn only
  • 46.173.218.123 – tcp Port 443 – Syn only
  • 87.106.190.153 – tcp Port 443 – Syn only
  • 194.58.112.174 – tcp Port 443 – Syn only

DNS Queries Associated with Ramnit:

  • pqvicocbv.com – ns2.torpig-sinkhole.org
  • vwfkrykqcrfupdkfphj.com
  • wcbjmxitybhaxdhxxob.com
  • ghegwkspdappp.com
  • lhdlsscgbnkj.com

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of Ramnit banking malware

 

Shown above: DNS traffic  associated with Ramnit banking malware

 

Shown above: Redirect associated with the Seamless malvertising campaign

 

Shown above: Redirect to the Rig Exploit Kit landing page

 

Shown above: Post infection traffic associated with Ramnit banking malware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: