With more than 200 million monthly visitors, onlinevideoconverter[.]com is the 159th largest site in the world. When researchers reviewed traffic captures, it was discovered that the site publisher’s ad server was compromised by attackers to display a malvertising campaign. Users visiting the site in attempts to convert videos were met with the ad server readying up the exploit kit. This task was completed by the ad server presenting a faulty GIF file that included JavaScript which took the user to the exploit kit gate. After this is completed, GreenFlash Sundown tries to execute a Flash exploit, and if done with success, a PowerShell command is run. This specific PowerShell command then scans to see if the computer being targeted is a virtual machine and if it isn’t, the SEON Ransomware, a miner, and the Pony information-stealing trojan is installed.
Analyst Notes
It is extremely necessary to make sure all Windows updates are installed in a timely manner. It is also imperative to update programs such as Flash, Java, and PDF reader to their latest versions. Since exploit kits target vulnerabilities in operating systems and installed software, this will greatly reduce the risk of becoming a victim.
