Rig Exploit Kit via Seamless malvertising delivers Ramnit banking malware

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-10-25-Rig-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 54.183.53.133 – jj3et.redirectvoluum.com – Seamless associated redirect
  • 194.58.40.193 – GET /test5.php – Seamless associated redirect
  • 188.225.84.183 – Rig EK Landing Page
  • 195.133.146.196  – tcp Port 443 – kulwtnsuebllt.com – Ramnit C2
  • 46.165.254.212 – tcp Port 443 – vomfvkcwhcfvksq.com – Ramnit C2
  • 87.106.190.153 – Syn only – erilxcktxqkuwg.com – Ramnit C2

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Rig exploit and the delivery of Ramnit banking malware

Shown above: DNS traffic  associated with Ramnit banking malware


Shown above: Post infection traffic associated with Ramnit banking malware

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT:

Follow on Twitter @broadanalysis