The cybercriminal group ShadowGate has emerged from a long quiet period, launching a global malvertising campaign that redirects victims to the Greenflash Sundown exploit kit, in order to infect them with SEON ransomware, a cryptominer and the Pony credential-stealer.
Also known as WordsJS, the ShadowGate group is more typically known for targeting Asia, especially South Korea, and it had been limiting its activity for close to two years. For these reasons, the sudden flurry of activity and worldwide scope of the new attacks comes as a bit of a surprise. Researchers from both Malwarebytes and Trend Micro reported on the campaign in a pair of blog posts this week.
"This is the most notable activity we have seen from this group since 2016," writes Trend Micro researcher and blog post author Joseph Chen.
According to data gathered by Trend Micro's global network, the new activity began on June 7 and significantly escalated beginning June 21. As of June 24, Japan has seen the largest share of attacks, 54.36 percent, followed by Italy (26.68 percent), Germany (4.54 percent) and the U.S. (four percent).
The campaign is similar to past ShadowGate operations, in that the actors poisoned ad servers via injection attacks so that they could deliver malicious advertisements to popular websites. Malwarebytes Director of Threat Intelligence Jerome Segura told SC Media the servers in this case were self-hosted ad servers installed by website owners, as opposed to external ones used by ad platforms.
According to the Malwarebytes blog post, one of the affected websites was onlinevideoconverter.com, a video conversion site that gets roughly 200 million visitors per month.
Based on the results of a careful digital fingerprinting process, the malvertisements will conditionally reroute some of these visitors to the Greenflash Sundown EK. The kit then commences a fileless infection process by using an Adobe Flash Player Exploit to deliver its encoded payload via PowerShell.
The use of PowerShell is a new addition to Greenflash Sundown, which was apparently was still being actively upgraded even during ShadowGate's stretches of limited attack activity. The loader helps with the aforementioned fingerprinting process by collecting data on the victim's environment, including OS details, the user name, video card and hard disk information and installed anti-virus products.
"Leveraging PowerShell is interesting because it allows to do some pre-checks before deciding to drop the payload or not. For example, in this case it will check that the environment is not a virtual machine," writes Segura. "If the environment is acceptable, it will deliver a very visible payload in SEON ransomware." If it's not, however, the server will return an empty response, sparing that particular website visitor.
The SEON ransomware uses a batch script to delete shadow copies, making it more difficult for victims to recover from an attack, according to Malwarebytes. Then, to make matters worse, "GreenFlash Sundown EK will also drop Pony and a coin miner while victims struggle to decide the best course of action in order to recover their files," Segura's blog post explains.
ShadowGate was briefly spotted using Greenflash Sundown spreading cryptominers in April 2018, but that limited campaign that was restricted to servers in East Asian countries, Trend Micro noted.