The ad server for a very popular video converter site was hacked to display malvertising that loads the GreenFlash Sundown exploit kit. This exploit kit would then drop the SEON Ransomware, Pony information stealing Trojan, and miners on a vulnerable computer.
Most web sites that utilize advertising will partner with an ad network that handles the ad serving. Some publishers, though, will utilize their own ad server and use it to display advertisements on their site.
In a new report, Malwarebytes explains that the threat actors behind the GreenFlash Sundown exploit kit are known to compromise a publisher's ad server so that it display malvertising to visitors.
"The threat actors behind it have a unique modus operandi that consists of compromising ad servers that are run by website owners," stated Malwarebytes researcher Jérôme Segura in a
blog post. "In essence, they are able to poison the ads served by the affected publisher via this unique kind of malvertising."
After reviewing traffic captures, Malwarebytes said they were able to track a malvertising campaign to a popular video converter site called onlinevideoconverter[.]com. According to Similarweb, this site has over 200 million visitors per month and is the 159th largest site in the world.
When visitors came to the site to convert their videos, the ad server would load the exploit kit. This was done by the ad server offering up a fake GIF file that contained JavaScript that would redirect the user to the exploit kit gate.