Rewterz Threat Alert – GreenFlash Sundown Exploit Kit Delivered Through Malspam Campaign

Severity

Medium

Analysis Summary

A malvertising campaign being used to distribute the GreenFlash Sundown exploit kit. The compromise begins when the user visits a website hosting malvertising ads, in this case, an online video conversion tool. The malicious ad on the website is a gif containing obfuscated JavaScript that redirects a user to a remote site. This site eventually loads a Flash object from the website that performs an additional redirect to a domain associated with the GreenFlash Exploit Kit. It exploits a Flash vulnerability in order to execute PowerShell on a victim system. The PowerShell first performs checks to make sure that the host is not a virtual machine. If the checks pass, the exploit kit drops and executes its payloads on the system. It is found that the SEON ransomware is delivered to encrypt the victim’s files. At the same time, the Pony stealer and a coin miner are also executed on the system. The researchers note that this campaign largely impacted North America and Europe, which is unusual as the GreenFlash Sundown EK had previously only affected Asian countries.

Impact

File encryption

Indicators of Compromise

URLs

• http[:]//accomplishedsettings[.]cdn-cloud[.]club/
• http[:]//adsfast[.]site/
• https[:]//fastimage[.]site/
• ad4989[.]world
• adsfast[.]info
• adsfast[.]site
• cdn-cloud[.]club
• fastimage[.]site

Malware Hash (MD5/SHA1/SH256)

• 58002d0b8acd1a539503d8ea02ff398e7ad079e0b856087f0ca30d767588be4e
• 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b
• 9ff00b46b949bd76923137c0b0ed3cd4e252d6e88a55e9b4798525fa40164850
• a89591555b9acb65353c2b854e582bc41db2fbc0eda2210b89a877d1862084df
• c772bdf4bd05ab63d90f4399e97a1d7eec2891c221739e3b843f9a8c9eddf4d3
• aeb073b5ee2e083aba987c7fcaab7265aabe6e5e2cade821db6d46e406e21e95

Remediation

Block all threat indicators at your respective controls.