Malvertising campaign infects popular YouTube to MP3 conversion site

Image credit: Pixabay
(Image credit: Pixabay)

Cybercriminals have compromised the servers used to show ads on a popular YouTube to MP3 conversion website in an effort to to help spread the GreenFlash exploit kit and Seon ransomware.

Malvertising is a popular technique among hackers and scammers as it enables them to reach a much wider audience by embedding malicious code or links in advertisements. When a visitor to a site hosting malicious ads clicks on one of them, they are either directed to a fraudulent website or their system is infected with a malicious payload.

What makes malvertising so effective, is the fact that legitimate domains can end up hosting malicious ads without their knowledge, which ends up making them a malware distributor without even realizing it.

Recently, cybercriminals have used the technique to help spread the GreenFlash Sundown exploit kit through a large-scale malvertising campaign.

GreenFlash Sundown exploit kit

Malwarebytes researcher Jérôme Segura provided further insight into how the GreenFlash Sundown exploit kit is being spread beyond Asia in a blog post, saying:

“Exploit kit activity has been relatively quiet for some time, with the occasional malvertising campaign reminding us that drive-by downloads are still a threat. However, during the past few days we noticed a spike in our telemetry for what appeared to be a new exploit kit. Upon closer inspection we realized it was actually the very elusive GreenFlash Sundown EK. The threat actors behind it have a unique modus operandi that consists of compromising ad servers that are run by website owners. In essence, they are able to poison the ads served by the affected publisher via this unique kind of malvertising.”

By infecting the servers used to deliver ads to multiple sites, including the popular YouTube to MP3 converter site Online Video Creator which has over 200m monthly users, the cybercriminals were able use legitimate domains to do their work for them. 

After clicking on an ad on one of the affected sites, visitors are sent to the exploit kit after it checks their system to make sure that it is not a virtual machine. The exploit kit then infects their system with the Seon ransomware which locks their files. However, alongside the ransomware, the exploit kit also infects their system with a cryptcurrency miner and Pony which is used to steal their data.

Up until now, the exploit kit primarily infected users in South Korea but through their new malvertising campaign, the cybercriminals behind it are looking to expand their reach to new targets in the US and Europe.

Via ZDNet