Hacked Ad Server Pushes SEON Ransomware, Trojans Via Malvertising

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,128
The ad server for a very popular video converter site was hacked to display malvertising that loads the GreenFlash Sundown exploit kit. This exploit kit would then drop the SEON Ransomware, Pony information stealing Trojan, and miners on a vulnerable computer.

Most web sites that utilize advertising will partner with an ad network that handles the ad serving. Some publishers, though, will utilize their own ad server and use it to display advertisements on their site.

In a new report, Malwarebytes explains that the threat actors behind the GreenFlash Sundown exploit kit are known to compromise a publisher's ad server so that it display malvertising to visitors.

"The threat actors behind it have a unique modus operandi that consists of compromising ad servers that are run by website owners," stated Malwarebytes researcher Jérôme Segura in a blog post. "In essence, they are able to poison the ads served by the affected publisher via this unique kind of malvertising."

After reviewing traffic captures, Malwarebytes said they were able to track a malvertising campaign to a popular video converter site called onlinevideoconverter[.]com. According to Similarweb, this site has over 200 million visitors per month and is the 159th largest site in the world.

When visitors came to the site to convert their videos, the ad server would load the exploit kit. This was done by the ad server offering up a fake GIF file that contained JavaScript that would redirect the user to the exploit kit gate.
 

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Around a year ago that conversion site started to enforce way too aggressive anti-ad block measures. I suspect the owner/s of that domain simply sold it's access and made a huge profit. Not the first time and not the last.

More information about the SundownEK and used domains and sub domains here :
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top