Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Security Alert: Malvertising campaign using SundownEK drops SEON ransomware
#1
Exclamation 
Quote:
[Image: heimdal-logo.svg]

Here’s what happened and how you can protect yourself

The advertising systems of several popular websites have been compromised by an injection of a malicious script that redirects random visitors to a SundownEK gateway.

Then, non-updated systems are prone to ransomware infections.

The respective injection redirects the traffic via the following chain (sanitized by CSIS):

fastimage[.]site

–> adsfast[.]site

–> accomplishedsettings.cdn-cloud[.]club

The latter acts as SundownEK payload delivery and it is by no means the only subdomain that uses this FQDN for this kind of activity (sanitized by CSIS):

papersnow.cdn-cloud[.]club

woodfigure.cdn-cloud[.]club

alldistrict.cdn-cloud[.]club

bottomboard.cdn-cloud[.]club

examplewhat.cdn-cloud[.]club

lacksolvent.cdn-cloud[.]club

longregions.cdn-cloud[.]club

openlyklerk.cdn-cloud[.]club

securedcity.cdn-cloud[.]club

entirecables.cdn-cloud[.]club

nothingteach.cdn-cloud[.]club

reliesbitter.cdn-cloud[.]club

visionetmail.cdn-cloud[.]club

madridbelgium.cdn-cloud[.]club

usaconceptual.cdn-cloud[.]club

awaitingborrow.cdn-cloud[.]club

bankruptcywood.cdn-cloud[.]club

craiginsurance.cdn-cloud[.]club

encountercarry.cdn-cloud[.]club

intervalscobol.cdn-cloud[.]club

quantumsession.cdn-cloud[.]club

southeastmerit.cdn-cloud[.]club

testifiedearly.cdn-cloud[.]club

beamwordperfect.cdn-cloud[.]club

clonesdiagnosis.cdn-cloud[.]club

does-no-exist33.cdn-cloud[.]club

numberprolonged.cdn-cloud[.]club

pickingteentage.cdn-cloud[.]club

rejectedpumping.cdn-cloud[.]club

biddersoperation.cdn-cloud[.]club

corruptionspirit.cdn-cloud[.]club

criminalappealed.cdn-cloud[.]club

indexestargeting.cdn-cloud[.]club

maastrichtluxury.cdn-cloud[.]club

commissionmethane.cdn-cloud[.]club

officiallyjustice.cdn-cloud[.]club

reactiongeneration.cdn-cloud[.]club

regulatorsdefinite.cdn-cloud[.]club

descriptionsfashion.cdn-cloud[.]club

investigatorsimpose.cdn-cloud[.]club

participatetransmit.cdn-cloud[.]club

accomplishedsettings.cdn-cloud[.]club

organizingconsiderable.cdn-cloud[.]club

The domain (sanitized by CSIS) mtproto[.]world could be activated in case the domain previously mentioned is disabled.

SundownEK will try to exploit vulnerabilities in Adobe Flash Player and Internet Explorer.

If the machine has not been properly updated, a binary payload will be delivered. This will run a ransomware of the SEON class, namely version 0.2 of this malicious ransomware.

Not only that, but a slightly modified version of data stealer Pony will also be dropped.

This SEON variant adds the file extension .FIXT to all data files, both locally and on all available network drives.

Criminals request that the victims contact them via several email addresses listed in the SEON ransomware message.
Continue Reading
[-] The following 2 users say Thank You to harlan4096 for this post:
  • ismail, silversurfer
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54
GFYI [Official] EaseUS Data Recovery Wi...
I utilize EaseUS Par...zevish — 08:10

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
harlan4096's profile harlan4096
Administrator

>