nao_secSeamless localized to Japan
https://malwarebreakdown.com/2017/07/03/seamless-campaign-leads-to-rig-ek-at-188-225-79-43-and-drops-ramnit/
I supplement that article. This is an article for that.
---
In that wonderful article some redirect flows and the latter half were introduced. I introduce the flow of the first half.
First redirected to "194.58.60.51/usa" by some malicious Ad. "usa" looks like a general web site, showing part of the actual code.
It looks like a general code, but there is an obfuscated code. It's decoded as follows.
This looks like code for Google Analytics, but it's actually different. It's sending a POST request to "usa".
It uses JavaScript to acquire time zone information and send it. When sending Japanese information at this time, it will be redirected to a general website. In the case of the USA it will lead to the next flow.
This is redirecting to "outedward-engrees.com". When you access "outedward-engrees.com", it looks like this.
Please see the malwarebreakdown article after this :)
---
Well, I had a chance interesting discovery. I investigated "194.58.60.51" in VirusTotal. Then I got this information.
Surprisingly, "japan.php" exists on the same server!
"japan.php" code is exactly the same as "usa", but you have to set the time zone to be sent to Japan so that you will be connected to RigEK.
"usa" was redirected to "signup3.php", but "japan.php" redirects to "signup1.php".
The dropped malware is Ramnit as usual.
https://www.hybrid-analysis.com/sample/3f949006c99d03b15ea4a1a11b40f1cf420573d2c86f1025a3b82badf18dc361?environmentId=100
https://virustotal.com/en/file/3f949006c99d03b15ea4a1a11b40f1cf420573d2c86f1025a3b82badf18dc361/analysis/1499245648/
---
P.S. added pcap link
https://gist.github.com/koike/8f3fcbb2e6906e29155a57d6f87df396
Localization other than Japan may also exist.
If you knew, please let me know ;)