Exploit Evolves for New Ransomware Attack

Photo by vipul uthaiah on Unsplash

The “GreenFlash Sundown” exploit kit is back - and it’s got a new trick up its sleeve.

Cybersecurity researchers discovered that the ad servers on onlinevideoconverter.com, a popular web utility, were compromised to deliver ransomware to users computers.

There are several noteworthy things about this attack:

GreenFlash Sundown is not new - but its recent tactics are. First on the scene in 2015, this exploit kit was typically used to mine cryptocurrency. These threats are always evolving, and this illustrates how hackers don’t even have to go all the way back to the drawing board to avoid detection. Some new encryption techniques and a new PowerShell loader was enough to breathe new life into this well-known exploit.

The attack used the JSEncrypt library to create a secret key ( img from TrendMicro )

The attack used the JSEncrypt library to create a secret key (img from TrendMicro)

Malware is still a real risk. It’s easy to get lost in the fog of the ad fraud wars and to think that pop up ads for non-existent gift card lotteries are the whole problem. Annoying ads are really visible (that’s what makes them so annoying), but ad hackers haven’t stopped looking for ways to deliver trojans to create botnets or ransomware to take the scam directly to a user.

Even self-controlled ad servers at risk. Often we describe distributed ad demand as the source of the problem - when publishers call partners who call partners who call partners, accountability can get lost. But in the case of this recent attack, hackers discovered vulnerabilities in a self-run ad server and exploited it directly. Risk mitigation isn’t risk elimination, and even going against the grain of convenience can leave you open to attack.

You can read more about the attack at Bleeping Computer (Hacked Ad Server Pushes SEON Ransomware, Trojans Via Malvertising) and Trend Micro’s blog (Shadowgate Returns to Worldwide Operations With Evolved Greenflash Sundown Exploit Kite).

DEVCON Ad Tech Security protects against attacks like these.

As attacks evolve and new threats emerge, DEVCON’s security team works to stay ahead of the attacks. DEVCON client sites are safe from this evolved GreenFlash Sundown attack.

If you see an attack like this in the wild, send us details at support@devcondetect.com or use our Bad Ads Form.

If you’re not yet a DEVCON customer, you can start protecting your site from attacks like these for free. Sign up today.

Cover photo by vipul uthaiah on Unsplash