Hacked Ad Server Pushes SEON Ransomware, Trojans Via Malvertising

[silversurfer]

Content source

https://www.bleepingcomputer.com/news/security/hacked-ad-server-pushes-seon-ransomware-trojans-via-malvertising/

The ad server for a very popular video converter site was hacked to display malvertising that loads the GreenFlash Sundown exploit kit. This exploit kit would then drop the SEON Ransomware, Pony information stealing Trojan, and miners on a vulnerable computer.

Most web sites that utilize advertising will partner with an ad network that handles the ad serving. Some publishers, though, will utilize their own ad server and use it to display advertisements on their site.

In a new report, Malwarebytes explains that the threat actors behind the GreenFlash Sundown exploit kit are known to compromise a publisher's ad server so that it display malvertising to visitors.

"The threat actors behind it have a unique modus operandi that consists of compromising ad servers that are run by website owners," stated Malwarebytes researcher Jérôme Segura in a blog post. "In essence, they are able to poison the ads served by the affected publisher via this unique kind of malvertising."

After reviewing traffic captures, Malwarebytes said they were able to track a malvertising campaign to a popular video converter site called onlinevideoconverter[.]com. According to Similarweb, this site has over 200 million visitors per month and is the 159th largest site in the world.

When visitors came to the site to convert their videos, the ad server would load the exploit kit. This was done by the ad server offering up a fake GIF file that contained JavaScript that would redirect the user to the exploit kit gate.

 

[upnorth]

Around a year ago that conversion site started to enforce way too aggressive anti-ad block measures. I suspect the owner/s of that domain simply sold it's access and made a huge profit. Not the first time and not the last.

More information about the SundownEK and used domains and sub domains here :

Security Alert: Malvertising campaign using SundownEK drops SEON ransomware

A compromised advertising server drops SEON ransomware and Pony data stealing Trojan on vulnerable computers. Here is what happened.

heimdalsecurity.com

ShadowGate Returns With Greenflash Sundown Exploit Kit

After almost two years of sporadic restricted activity, the ShadowGate campaign has started delivering cryptocurrency miners with a newly upgraded version of the Greenflash Sundown exploit kit.

blog.trendmicro.com