Malvertising Campaign by “ShadowGate” Utilizes GreenFlash Sundown EK


Malvertising Campaign by “ShadowGate” Utilizes GreenFlash Sundown EK (Jun 26, 2019)

A recent global malvertising campaign has been associated with the cybercriminal group “ShadowGate” utilizing the “GreenFlash Sundown” exploit kit. ShadowGate is known for their elusive and stealthy tactics, and have not been associated with a large scale incident since 2016. The campaign is responsible for pushing “SEON” ransomware, a cryptominer, and the “Pony” credential-stealer. Users that navigate to a popular online video conversion site, OnlineVideoConverter<.>com, are redirected to the exploit kit if they interacted with a fake GIF image that contains the launching piece of JavaScript. A careful pre-check process using PowerShell identifies whether or not the environment is ideal before deciding to drop the payload. Based on telemetry data from Malwarebytes, this campaign is active in North America and Europe, which is new territory for the ShadowGate group, having been previously only observed in East Asian countries.

Recommendation: Users should be cautious when clicking on advertisements because as this story portrays, malicious advertisements can sometimes appear on legitimate online locations. If the advertised product is appealing, it would be safer to search for the product on the authentic website of the company who is selling the product, or other trusted online shopping locations.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.