Rig Exploit Kit via Seamless malvertising delivers Ramnit banking malware
- Today I captured traffic from the Rig Exploit Kit (EK) which delivered Ramnit banking malware via a malvertising campaign.
- Thanks to @thlnk3r for sharing link to start infection chain.
- Malvertising is the name the security industry give to criminally-controlled adverts which intentionally infect people and businesses. These can be any ad on any site – often ones which you use as part of your everyday Internet usage. [Defined by Malwarebytes]
- Information on Seamless campaign from Cisco
- Detailed information on Seamless campaign from malwarebreakdown.com
I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.
PCAP file of the infection traffic:
ASSOCIATED DOMAINS AND IP ADDRESSES:
- 126.96.36.199 – paremated-conproxy.com – GET /voluum/ – Seamless associated redirect
- 188.8.131.52 – 15cen.redirectvoluum.com – Seamless associated redirect
- 184.108.40.206 – GET /test4.php – Seamless associated redirect
- 220.127.116.11 – Rig EK Landing Page
- 18.104.22.168 – tcp Port 443 – kkgwwanjfddarjjcsni.com – Ramnit C2
- 22.214.171.124 – Syn only – wbcvrqownuvi.com – Ramnit C2
IMAGES AND DETAILS OF INFECTION CHAIN:
Shown above: DNS traffic associated with Ramnit banking malware
MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:
- 2017-10-20-Rig-EK.swf – Rig Exploit Kit
- niorayvp.exe – Ramnit Banking Trojan
Follow on Twitter @broadanalysis