Rig Exploit Kit via Seamless malvertising delivers Ramnit banking malware

NOTES

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-10-20-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 52.49.126.125 – paremated-conproxy.com – GET /voluum/ – Seamless associated redirect
  • 52.209.53.14 – 15cen.redirectvoluum.com – Seamless associated redirect
  • 194.58.58.121 – GET /test4.php – Seamless associated redirect
  • 188.225.9.112 – Rig EK Landing Page
  • 185.159.131.98 – tcp Port 443 – kkgwwanjfddarjjcsni.com – Ramnit C2
  • 87.106.190.153 – Syn only – wbcvrqownuvi.com – Ramnit C2


IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of Ramnit banking malware

 

Shown above: DNS traffic  associated with Ramnit banking malware

 

Shown above: First redirect associated with the Seamless malvertising campaign

 

Shown above: Second redirect associated with the Seamless malvertising campaign

 

Shown above: Final redirect to the Rig Exploit Kit landing page

 

Shown above: Post infection traffic associated with Ramnit banking malware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

Follow on Twitter @broadanalysis