Ad server of a video converter site used to spread SEON ransomware

Hacked advertising server for a video converter site made to spread SEON ransomware via the GreenFlash Sundown exploit kit

Hacked advertising server delivers Seon ransomwareSeon virus, Pony trojan, and Coinminer get delivered via a malvertising campaign.

Popular video converter website and its ad server got hacked and, as a result, was used to launch GreenFlash Sundown exploit kit. According to researchers, the exploit kit is then used to drop SEON ransomware[1], Pony information-stealing trojan and other cryptocurrency miners.[2]

The report states that compromised advertising services were discovered when the spike in malicious activity appeared. It was analyzed that GreenFlash Sundown exploit kit keeps expanding further than Asia which was known as the main country of this EK.

Jérôme Segura is stating in his blog post:

We review their latest campaign responsible for pushing ransomware, Pony and a coin miner. A number of publishers have been compromised and this marks the first time we see GreenFlash Sundown EK expand widely out of Asia.

The malvertising campaign was started after hacking ad server

Developers of the GreenFlash Sundown exploit kit compromised the ad server so that they could load the malicious content onto the visitor's system. Various websites partner with advertisers to handle commercial content, so there is no surprise that hackers decided to take advantage of this fact. The particular campaign was tracked to a popular video converter site that has more than 200 millions of visitors per month and is on the 159th place in the list of the largest sites in the world.[3]

Once the visitor came to the website to use the converter, advertising content was set to load the exploit kit via the fake GIF containing JavaScript, that automatically redirected the victim to the exploit kit gate. Then, Flash exploit got used and, once successfully launched, PowerShell commands got executed from this point.

When the system was checked, Seon ransomware was loaded on the computer alongside Pony info-stealing trojan horse and cryptocurrency miner. SEON ransomware typically performs its own malicious processes like deleting Shadow Volume Copies, encrypting files and demanding the ransom.[4] People who got affected were left to struggle with this multi-layer attack.

The most common usage of exploit kits is to drop ransomware

This is not the first time when cryptovirus got infiltrated by the exploit kit. Ransomware is one of the most dangerous malware because it involves ransom demands and can permanently damage users' files and result in money loss. In recent years ransomware developers geared towards huge companies, services, and cities.[5]

One of the more common methods of crypto malware distribution remains the exploit kits like Sodinokibi ransomware virus dropping RIG[6] or the Fallout EK that delivers GandCrab ransomware.[7] Exploit kits use vulnerabilities in the operating system and installs the needed scripts or direct malware payloads without users notice. All these flaws come via badly installed software, fake Windows Updates or programs like Java, Flash.

You can avoid such infiltrations of you pay enough attention to processes happening on the computer and keep the machine up-to-date using proper sources and official distributors of updates and applications. Running an occasional scan on the device with AV tools can also keep the system virus-free.

About the author
Lucia Danes
Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions