Concerned About Your Business Cyber Security?

(877) 321--7374

Seamless Campaign using Rig Exploit Kit to send Ramnit Trojan, (Thu, May 11th)

Introduction

On Wednesday 2017-05-10, @thlnk3r tweeted about Rig exploit kit (EK) activity. @DynamicAnalysis has already posted an analysis of this traffic on malwarebreakdown.com (always a good read), but Ive also looked into it. Today border-width:2px” />
Shown above: Tweet about this Rig EK activity from @thlnk3r (link).

Details

This is not one of the campaigns that use Rig EK like pseudoDarkleech or EITest (both of which I havent seen since April 2017). This traffic has different characteristics. Cisco is calling it the Seamless Campaign due to an associated iframe attribute back when it was first discovered.

By the time I investigated this traffic, the compromised site that kicked off the chain of events was already off-line. border-width:2px” />
Shown above: border-width:2px” />
Shown above: border-width:2px” />
Shown above: border-width:2px” />
Shown above: Some Ramnit alerts after reading the pcap with Snort using the Snort Subscription ruleset.

Indicators of Compromise (IOCs)

The following IP addresses and domains are associated with this traffic:

  • 185.31.160.55 port 80 – 185.31.160.55 – GET /flow335.php [Seamless gate]
  • 185.154.52.233 port 80 – sell.northwestfloridacannabis.online – Rig EK (1st run)
  • 185.154.52.233 port 80 – top.northwestfloridacannabis.org – Rig EK (2nd run)
  • 95.215.108.213 port 443 – mudsaoojbjijj999.com – Post-infection encoded/encrypted traffic
  • Note: The infected Windows host also tried several attempts at contacting google.com.

The following files are associated with this traffic:

Final words

Rig EK is still an ongoing factor in our current threat landscape. Thanks to everyone on Twitter who tweets about EK activity. Without help from the community, this traffic is difficult to obtain.

As always, if you follow best security practices (keep your Windows computer up-to-date and patched, etc.), your risk of infection is minimal. Unfortunately, many people dont follow best practices. Until this situation changes, EKs will likely remain a profitable method for criminals distributing malware.

Emails, malware samples, and pcaps associated with the 2017-05-10 Rig EK traffic can be found here.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Ready For ASuperheroI.T. Solution?

Permission to communicate electronically * Shield adheres to the Canada Anti Spam Law or CASL. By submitting our website forms, you are granting us express consent to contact your company by email. Click here for more Information and FAQS on the CASL.

Shield Networks Inc.

Shield Networks Provides Cyber Security, Network Security, Computer Security and IT Security Solutions For Companies Across Canada. Book Your Complimentary Cyber Security Consultation Using Our Contact Information Below.

(877) 321--7374

Info@ShieldNetworks.ca

  • Winnipeg, Manitoba

    330 St. Mary Avenue, Suite 300
    Winnipeg, MB R3C 3Z5

  • Selkirk Manitoba

    217 Clandeboye Ave Selkirk, MB, R1Z 0X2

Real Time Web Analytics