Exploit kit activity has been relatively quiet for some time, with the occasional malvertising campaign reminding us that drive-by downloads are still a threat.
However, during the past few days we noticed a spike in our telemetry for what appeared to be a new exploit kit. Upon closer inspection we realized it was actually the very elusive GreenFlash Sundown EK.
End Date: Friday Sep-27-2019 15:18:16 PDT
Buy It Now for only: $28.27
Buy It Now | Add to watch list
End Date: Saturday Sep-21-2019 3:29:19 PDT
Buy It Now for only: $4.45
Buy It Now | Add to watch list
The threat actors behind it have a unique modus operandi that consists of compromising ad servers that are run by website owners. In essence, they are able to poison the ads served by the affected publisher via this unique kind of malvertising.
In this blog, we review their latest compromise responsible for pushing ransomware, Pony and a coin miner onto a large number of victims.
At first, we believed the attack originated from one ad network, but we were able to pinpoint where it came from by reviewing traffic captures. The affected publisher is onlinevideoconverter[.]com, one of the most popular sites to convert videos. According to SimilarWeb, it drives 200 million visitors per month:
People navigating to the page to convert YouTube videos into the MP4 format will be sent to the exploit kit, but only after some very careful fingerprinting. The full redirection sequence is shown below:
After some painful debugging, we can see that it links to fastimage[.]site:
The next few sessions contain more interesting code including a file loaded from fastimage[.]site/uptime.js which is actually a Flash object.
This performs the redirection to adsfast[.]site which we recognize as being part of the GreenFlash Sundown exploit kit. It uses a Flash Exploit to deliver its encoded payload via PowerShell:
Leveraging PowerShell is interesting because it allows to do some pre-checks before deciding to drop the payload or not. For example, in this case it will check that the environment is not a Virtual Machine. If the environment is acceptable, it will deliver a very visible payload in SEON ransomware:
The ransomware uses a batch script to perform some of its duties, such as deleting shadow copies:
GreenFlash Sundown EK will also drop Pony and a coin miner while victims struggle to decide the best course of action in order to recover their files.
Our previous encounters with GreenFlash Sundown EK, for example during our winter 2019 exploit kits review, were always limited to South Korea. However, based on our telemetry this campaign is affecting people all over the globe, which is an interesting departure for this threat group.
Malwarebytes users were already protected against this drive-by attack and we have informed the publisher about the compromise so that they can take action.
Indicators of Compromise
GreenFlash Sundown infrastructure:hxxps[://]fastimage[.]site/hxxp[://]adsfast[.]site/hxxp[://]accomplishedsettings[.]cdn-cloud[.]club/104.248.42[.]143172.105.66[.]231198.211.126[.]118
The post GreenFlash Sundown exploit kit expands via large malvertising campaign appeared first on Malwarebytes Labs.
Powered by WPeMatico