After almost two years of sporadic restricted activity the cybercriminal group ShadowGate (also known as WordsJS) launched a global malvertising campaign that delivers SEON ransomware, a cryptocurrency miner and the Pony credential-stealer via updated Greenflash Sundown exploit kit.

The ShadowGate campaign was first spotted in 2015. It delivered malware with exploit kits through the compromised ad servers of Revive/OpenX, a popular advertising technology company. After a takedown operation on September 2016 the group tried to conseal their activity and that same year they also developed their own exploit kit, which was named Greenflash Sundown by researchers. For almost two years ShadowGate restricted its activity and mainly targeted Asia (especially South Korea), so the global scale of new attacks comes as a bit of surprise.

The new campaign were detected by both Malwarebytes and Trend Micro, who published their own reports detailing the attacks. According to Trend Micro, the new attacks have started at the beginning of June and significantly spiked beginning June 21. As of June 24 the highest rates of attacks were detected in Japan 54.36%, followed by Italy (26.68%), Germany (4.54%) and the U.S. (4%).

This latest campaign is similar to previous ShadowGate operations - it also delivers malicious advertisements to popular websites via compromised ad servers. But the researchers noted several new additions to Greenflash Sundown EK, which apparently the threat actors have been continuously upgrading despite the lull in activity.

The first change involves the integration of a public key encryption algorithm to protect the exploit kit payload, and the second is an updated PowerShell loader that allows its operators to do some pre-checks before deciding to drop the payload or not.

“For example, in this case it will check that the environment is not a virtual machine. If the environment is acceptable, it will deliver a very visible payload in SEON ransomware,” explained Malwarebytes Director of Threat Intelligence Jerome Segura.

The ransomware uses a batch script to delete shadow copies, making it more difficult for victims to recover their data. On top of that, “GreenFlash Sundown EK will also drop Pony and a coin miner while victims struggle to decide the best course of action in order to recover their files,” said Segura.