loader gif

GreenFlash Sundown exploit kit expands its activity to deliver SEON ransomware

GreenFlash Sundown exploit kit expands its activity to deliver SEON ransomware
  • The attackers targeted the popular onlinevideoconverter[.]com website to launch the attack campaign.
  • The campaign is very much active in North American and Europe.

The very elusive GreenFlash Sundown exploit kit has expanded its operations out of Asia. The threat actors are using the exploit kit to push SEON ransomware on to the victims’ machines.

What’s the matter?

According to Malwarebytes, the attackers targeted the popular onlinevideoconverter[.]com website to launch the attack campaign. The site drives 200 million visitors per months, which makes it easier for the attackers to target more users.

Stealthy exploit

Users visiting the onlinevideoconverter[.]com website to convert YouTube videos into the MP4 format will be redirected to adsfast[.] site which downloads the exploit kit. The GreenFlash Sundown exploit kit is cleverly hidden with a fake GIF image that actually contains a well-obfuscated piece of JavaScript.

The exploit kit leverages PowerShell to do some pre-checks before deciding to drop the payload. If the environment is acceptable, the exploit kit drops the SEON ransomware.

Once installed, the ransomware performs a series of actions such as deleting shadow copies. Apart from the ransomware, the GreenFlash Sundown Exploit kit also drops Pony and a coin miner while victims struggle to decide the best course of action to recover their files.

Worth noting

Based on the researchers' telemetry, it is found that this campaign is very much active in North American and Europe.

loader gif