Servers used to show adverts on a popular YouTube to MP3 conversion website have been compromised in order to spread the GreenFlash exploit kit and Seon ransomware.
Malvertising is a technique used by hackers and scammers to reach a wide audience, often on legitimate domains and services. Malicious code or links will be embedded within an advertisement which is then displayed to unwitting website visitors, and should they click the link, they may be directed to a fraudulent website or be issued a malicious payload.
The problem with malvertising is that sometimes malicious ads will slip through the net and legitimate domains that rely on adverts for revenue will become the distributors of malware without realizing it.
Examples of successful malvertising campaigns include VeryMal, a campaign which specifically focused on Apple users as well as the compromise of domains belonging to The New York Times, BBC, AOL, and MSN.
It is estimated that in 2017 alone, malvertising made possible through steganography — a way to hide malicious code in images — cost ad networks $1.13 billion.
Malvertising is still very much alive, as shown in the recent spread of the GreenFlash Sundown exploit kit through a large and recent campaign.
In a blog post, Malwarebytes researcher Jérôme Segura said on Wednesday that the exploit kit, deemed “elusive” and generally only spotted in Asia, is now expanding.
The malware has been spread through servers used to deliver ads by multiple publishers, including on onlinevideoconverter[.]com, a service which transforms YouTube videos into audio files. This website alone caters for over 200 million users per month, according to SimilarWeb.
Visitors are sent to the exploit kit, but only if their system passes a number of checks designed to avoid virtual machines (VMs).
If successful, the exploit will drop the Seon ransomware, which was first observed in the wild in late 2018. The ransomware encrypts a system’s files and demands a Bitcoin-based ransom, and will also delete Shadow Volume copies on disk to prevent the recovery of data.
.FIXT is appended to the end of encrypted files.
While victims debate whether or not to pay the ransom, the malvertising scheme isn’t finished yet — as alongside the ransomware, the payload also delivers a cryptocurrency miner and Pony, a data stealer.
Previous investigations into the exploit kit limited the malware’s spread to within South Korea’s borders. However, Malwarebytes said that the latest campaign has moved towards the US and Europe.
ZDNet has reached out to Online Video Converter but has not heard back at the time of publication.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0