28 June 2019

ShadowGate group returns with a global malwertising campaign, infects victims with three pieces of malware

ShadowGate group returns with a global malwertising campaign, infects victims with three pieces of malware

After almost two years of sporadic restricted activity the cybercriminal group ShadowGate (also known as WordsJS) launched a global malvertising campaign that delivers SEON ransomware, a cryptocurrency miner and the Pony credential-stealer via updated Greenflash Sundown exploit kit.

The ShadowGate campaign was first spotted in 2015. It delivered malware with exploit kits through the compromised ad servers of Revive/OpenX, a popular advertising technology company. After a takedown operation on September 2016 the group tried to conseal their activity and that same year they also developed their own exploit kit, which was named Greenflash Sundown by researchers. For almost two years ShadowGate restricted its activity and mainly targeted Asia (especially South Korea), so the global scale of new attacks comes as a bit of surprise.

The new campaign were detected by both Malwarebytes and Trend Micro, who published their own reports detailing the attacks. According to Trend Micro, the new attacks have started at the beginning of June and significantly spiked beginning June 21. As of June 24 the highest rates of attacks were detected in Japan 54.36%, followed by Italy (26.68%), Germany (4.54%) and the U.S. (4%).

This latest campaign is similar to previous ShadowGate operations - it also delivers malicious advertisements to popular websites via compromised ad servers. But the researchers noted several new additions to Greenflash Sundown EK, which apparently the threat actors have been continuously upgrading despite the lull in activity.

The first change involves the integration of a public key encryption algorithm to protect the exploit kit payload, and the second is an updated PowerShell loader that allows its operators to do some pre-checks before deciding to drop the payload or not.

“For example, in this case it will check that the environment is not a virtual machine. If the environment is acceptable, it will deliver a very visible payload in SEON ransomware,” explained Malwarebytes Director of Threat Intelligence Jerome Segura.

The ransomware uses a batch script to delete shadow copies, making it more difficult for victims to recover their data. On top of that, “GreenFlash Sundown EK will also drop Pony and a coin miner while victims struggle to decide the best course of action in order to recover their files,” said Segura.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019