Online Video Converter Compromised to Deliver Ransomware
CYBER NEWS

Online Video Converter Compromised to Deliver Ransomware

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Another malvertising campaign delivering ransomware was detected. More specifically, ad servers utilized by a popular YouTube to MP3 conversion website ((onlinevideoconverter[.]com) have been compromised to spread an exploit kit known as GreenFlash Sundown and Seon ransomware.




Malvertising attacks typically involve the injection of malicious code into legitimate online advertising networks. The injected code is redirecting users to dangerous websites hosting exploit kits and malicious payloads

This type of attack is utilized when attackers are aiming to compromise a larger audience of targets. There have been quite a few large-scale malvertising campaigns, such as RoughTed and

eGobbler hackers compromise legitimate ad servers and buy-side platforms. The hackers utilized cloaked intermediate CDN domains for their infection chain.
eGobbler which was targeting iOS users.

Related:
RoughTed is a large-scale malvertising campaign which saw a peak in March this year but has been active for at least over a year.
RoughTed Malvertising Campaign Defeats Ad-Blockers

More about the GreenFlash Sundown Exploit Kit

The exploit kit is associated with previous ShadowGate malicious campaigns which are delivering cryptocurrency miners with a newly upgraded version of the Greenflash Sundown exploit kit, say TrendMicro researchers.

The ShadowGate campaign was first identified in 2015 when it was spreading malware with exploit kits using the compromised ad servers of Revive/OpenX, a popular advertising technology company. After it was taken down in September 2016, ShadowGate attempted to hide their activities.

However, in 2016 ShadowGate succeeded in the development of their own exploit kit, which TrendMicro named Greenflash Sundown. The reason for this might have been to avoid using exploit kit services from the underground market, the researchers said, adding that:

At the end of 2016, the campaign stopped their injection attacks on the compromised ad servers and restricted their activity to spreading ransomware via compromised South Korean websites. In April 2018, ShadowGate was spotted spreading cryptocurrency miners with Greenflash Sundown.

As for the current campaign delivering the Seon ransomware, users are sent to the exploit kit with the condition that their systems pass a check meant to avoid virtual machines. The malicious code is hidden in a fake .GIF image which contains obfuscated JavaScript code which leads to a fastimage website.

The website delivers the malware payload via a redirect to an adfast website. The malware itself is executed through PowerShell. In case of a successful exploit, the Seon ransomware is dropped on the compromised system.

More about Seon Ransomware

Seon ransomware was detected towards the end of 2018. Encrypted files are appended the .FIXT extension. The accompanying ransomware note is called YOUR_FILES_ARE_ENCRYPTED.txt and reads the following:

SEON RANSOMWARE
all your files has been encrypted
There is only way to get your files back: contact with us, pay and get decryptor software
We accept Bitcoin and other cryptocurrencies
You can decrypt 1 file for free
write email to [email protected] or [email protected]

Learn how to

Microsoft has introduced a new safety feature which is designed to improve the way updates are installed and removed on Windows 10.
remove Seon ransomware.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...