Threat Management, Threat Management, Malware, Ransomware

ShadowGate malvertising group serves up SEON ransomware via Greenflash Sundown exploit kit

The cybercriminal group ShadowGate has emerged from a long quiet period, launching a global malvertising campaign that redirects victims to the Greenflash Sundown exploit kit, in order to infect them with SEON ransomware, a cryptominer and the Pony credential-stealer.

Also known as WordsJS, the ShadowGate group is more typically known for targeting Asia, especially South Korea, and it had been limiting its activity for close to two years. For these reasons, the sudden flurry of activity and worldwide scope of the new attacks comes as a bit of a surprise. Researchers from both Malwarebytes and Trend Micro reported on the campaign in a pair of blog posts this week.

"This is the most notable activity we have seen from this group since 2016," writes Trend Micro researcher and blog post author Joseph Chen.

According to data gathered by Trend Micro's global network, the new activity began on June 7 and significantly escalated beginning June 21. As of June 24, Japan has seen the largest share of attacks, 54.36 percent, followed by Italy (26.68 percent), Germany (4.54 percent) and the U.S. (four percent).

The campaign is similar to past ShadowGate operations, in that the actors poisoned ad servers via injection attacks so that they could deliver malicious advertisements to popular websites. Malwarebytes Director of Threat Intelligence Jerome Segura told SC Media the servers in this case were self-hosted ad servers installed by website owners, as opposed to external ones used by ad platforms.

According to the Malwarebytes blog post, one of the affected websites was, a video conversion site that gets roughly 200 million visitors per month.

Based on the results of a careful digital fingerprinting process, the malvertisements will conditionally reroute some of these visitors to the Greenflash Sundown EK. The kit then commences a fileless infection process by using an Adobe Flash Player Exploit to deliver its encoded payload via PowerShell.

The use of PowerShell is a new addition to Greenflash Sundown, which was apparently was still being actively upgraded even during ShadowGate's stretches of limited attack activity. The loader helps with the aforementioned fingerprinting process by collecting data on the victim's environment, including OS details, the user name, video card and hard disk information and installed anti-virus products.

"Leveraging PowerShell is interesting because it allows to do some pre-checks before deciding to drop the payload or not. For example, in this case it will check that the environment is not a virtual machine," writes Segura. "If the environment is acceptable, it will deliver a very visible payload in SEON ransomware." If it's not, however, the server will return an empty response, sparing that particular website visitor.

The SEON ransomware uses a batch script to delete shadow copies, making it more difficult for victims to recover from an attack, according to Malwarebytes. Then, to make matters worse, "GreenFlash Sundown EK will also drop Pony and a coin miner while victims struggle to decide the best course of action in order to recover their files," Segura's blog post explains.

ShadowGate was briefly spotted using Greenflash Sundown spreading cryptominers in April 2018, but that limited campaign that was restricted to servers in East Asian countries, Trend Micro noted.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.