Another malvertising campaign delivering ransomware was detected. More specifically, ad servers utilized by a popular YouTube to MP3 conversion website ((onlinevideoconverter[.]com) have been compromised to spread an exploit kit known as GreenFlash Sundown and Seon ransomware.
Malvertising attacks typically involve the injection of malicious code into legitimate online advertising networks. The injected code is redirecting users to dangerous websites hosting exploit kits and malicious payloads
This type of attack is utilized when attackers are aiming to compromise a larger audience of targets. There have been quite a few large-scale malvertising campaigns, such as RoughTed and [wplinkpreview url=”https://sensorstechforum.com/egobbler-ios-malvertising-impacts-half-billion-user-sessons/”] eGobbler which was targeting iOS users.
More about the GreenFlash Sundown Exploit Kit
The exploit kit is associated with previous ShadowGate malicious campaigns which are delivering cryptocurrency miners with a newly upgraded version of the Greenflash Sundown exploit kit, say TrendMicro researchers.
The ShadowGate campaign was first identified in 2015 when it was spreading malware with exploit kits using the compromised ad servers of Revive/OpenX, a popular advertising technology company. After it was taken down in September 2016, ShadowGate attempted to hide their activities.
However, in 2016 ShadowGate succeeded in the development of their own exploit kit, which TrendMicro named Greenflash Sundown. The reason for this might have been to avoid using exploit kit services from the underground market, the researchers said, adding that:
At the end of 2016, the campaign stopped their injection attacks on the compromised ad servers and restricted their activity to spreading ransomware via compromised South Korean websites. In April 2018, ShadowGate was spotted spreading cryptocurrency miners with Greenflash Sundown.
As for the current campaign delivering the Seon ransomware, users are sent to the exploit kit with the condition that their systems pass a check meant to avoid virtual machines. The malicious code is hidden in a fake .GIF image which contains obfuscated JavaScript code which leads to a fastimage website.
The website delivers the malware payload via a redirect to an adfast website. The malware itself is executed through PowerShell. In case of a successful exploit, the Seon ransomware is dropped on the compromised system.
More about Seon Ransomware
Seon ransomware was detected towards the end of 2018. Encrypted files are appended the .FIXT extension. The accompanying ransomware note is called YOUR_FILES_ARE_ENCRYPTED.txt and reads the following:
SEON RANSOMWARE
all your files has been encrypted
There is only way to get your files back: contact with us, pay and get decryptor software
We accept Bitcoin and other cryptocurrencies
You can decrypt 1 file for free
write email to kleomicro@gmail.com or kleomicro@dicksinhisan.us
Learn how to [wplinkpreview url=”https://sensorstechforum.com/buggy-windows-10-updates-uninstalled-automatically/”] remove Seon ransomware.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: