Cybercriminals have compromised the servers used to serve ads on a popular YouTube to MP3 conversion website to help deliver the GreenFlash Operational Kit and Seon ransomware. Malvertising is a popular technique among hackers and scammers because it allows them to reach a much larger audience by inserting malicious code or links into advertisements. When a visitor to a site hosting malicious ads clicks on any of them, they are either directed to a fraudulent website or their system is infected with a malicious payload. What makes malvertising so effective is the fact that legitimate domains can host malicious ads without your knowledge, making you a malware distributor without even realizing it. Recently, cybercriminals have used this technique to transmit the GreenFlash Sundown opkit as part of a massive malvertising campaign.
GreenFlash Sundown Operation Kit
Blogger Jerome Segura, a researcher at Malwarebytes, explained in a blog post how the GreenFlash Sundown opkit spread beyond Asia: "Operativekit activity has been relatively quiet for some time, with a malicious ad campaign keeping us remember that shock at the wheel is always a threat. However, in the last few days, we have seen an increase in our telemetry for what appeared to be a new operational kit. Looking closer, we realized that it was actually very GreenFlash Sundown EK is difficult to reach. The threat actors behind this system have a unique operating mode of compromising the ad servers that website owners run. In essence, they can poison the ads that the relevant publisher serves through this system. unique type of malvertising." By infecting the servers used to serve ads on various sites, including the popular online video conversion site to MP3 Converter Online Video Creator, which has more than 200 million monthly users, the cybercriminals have been able to use legitimate Domains to do their job. After clicking an ad on one of the affected sites, visitors are sent to the operative kit after checking their system to make sure they are not in a virtual machine. The operating kit then infects your system with Seon ransomware which locks your files. However, along with the ransomware, the operating kit also infects your system with a cryptocurrency and a minor Pony that is used to steal your data. Until now, the operational kit mainly infected users in South Korea, but the cybercriminals behind this new malvertising campaign are looking to expand their reach to new targets in the US and Europe. via ZDNet