+- Geeks for your information (https://www.geeks.fyi)
+-- Forum: Security (https://www.geeks.fyi/forumdisplay.php?fid=68)
+--- Forum: Security Vendors (https://www.geeks.fyi/forumdisplay.php?fid=87)
+---- Forum: Heimdal Security (https://www.geeks.fyi/forumdisplay.php?fid=130)
+----- Forum: Heimdal Security Blog Articles (https://www.geeks.fyi/forumdisplay.php?fid=138)
+----- Thread: Security Alert: Malvertising campaign using SundownEK drops SEON ransomware (/showthread.php?tid=7535)
Security Alert: Malvertising campaign using SundownEK drops SEON ransomware - harlan4096 - 28 June 19
Quote:Continue Reading
Here’s what happened and how you can protect yourself
The advertising systems of several popular websites have been compromised by an injection of a malicious script that redirects random visitors to a SundownEK gateway.
Then, non-updated systems are prone to ransomware infections.
The respective injection redirects the traffic via the following chain (sanitized by CSIS):
fastimage[.]site
–> adsfast[.]site
–> accomplishedsettings.cdn-cloud[.]club
The latter acts as SundownEK payload delivery and it is by no means the only subdomain that uses this FQDN for this kind of activity (sanitized by CSIS):
papersnow.cdn-cloud[.]club
woodfigure.cdn-cloud[.]club
alldistrict.cdn-cloud[.]club
bottomboard.cdn-cloud[.]club
examplewhat.cdn-cloud[.]club
lacksolvent.cdn-cloud[.]club
longregions.cdn-cloud[.]club
openlyklerk.cdn-cloud[.]club
securedcity.cdn-cloud[.]club
entirecables.cdn-cloud[.]club
nothingteach.cdn-cloud[.]club
reliesbitter.cdn-cloud[.]club
visionetmail.cdn-cloud[.]club
madridbelgium.cdn-cloud[.]club
usaconceptual.cdn-cloud[.]club
awaitingborrow.cdn-cloud[.]club
bankruptcywood.cdn-cloud[.]club
craiginsurance.cdn-cloud[.]club
encountercarry.cdn-cloud[.]club
intervalscobol.cdn-cloud[.]club
quantumsession.cdn-cloud[.]club
southeastmerit.cdn-cloud[.]club
testifiedearly.cdn-cloud[.]club
beamwordperfect.cdn-cloud[.]club
clonesdiagnosis.cdn-cloud[.]club
does-no-exist33.cdn-cloud[.]club
numberprolonged.cdn-cloud[.]club
pickingteentage.cdn-cloud[.]club
rejectedpumping.cdn-cloud[.]club
biddersoperation.cdn-cloud[.]club
corruptionspirit.cdn-cloud[.]club
criminalappealed.cdn-cloud[.]club
indexestargeting.cdn-cloud[.]club
maastrichtluxury.cdn-cloud[.]club
commissionmethane.cdn-cloud[.]club
officiallyjustice.cdn-cloud[.]club
reactiongeneration.cdn-cloud[.]club
regulatorsdefinite.cdn-cloud[.]club
descriptionsfashion.cdn-cloud[.]club
investigatorsimpose.cdn-cloud[.]club
participatetransmit.cdn-cloud[.]club
accomplishedsettings.cdn-cloud[.]club
organizingconsiderable.cdn-cloud[.]club
The domain (sanitized by CSIS) mtproto[.]world could be activated in case the domain previously mentioned is disabled.
SundownEK will try to exploit vulnerabilities in Adobe Flash Player and Internet Explorer.
If the machine has not been properly updated, a binary payload will be delivered. This will run a ransomware of the SEON class, namely version 0.2 of this malicious ransomware.
Not only that, but a slightly modified version of data stealer Pony will also be dropped.
This SEON variant adds the file extension .FIXT to all data files, both locally and on all available network drives.
Criminals request that the victims contact them via several email addresses listed in the SEON ransomware message.
![[Image: heimdal-logo.svg]](https://heimdalsecurity.com/blog/wp-content/themes/heimdalv2/images/heimdal-logo.svg){kind=logo}