Security Alert: Malvertising campaign using SundownEK drops SEON ransomware

[harlan4096]

Here’s what happened and how you can protect yourself

The advertising systems of several popular websites have been compromised by an injection of a malicious script that redirects random visitors to a SundownEK gateway.

Then, non-updated systems are prone to ransomware infections.

The respective injection redirects the traffic via the following chain (sanitized by CSIS):

fastimage[.]site

–> adsfast[.]site

–> accomplishedsettings.cdn-cloud[.]club

The latter acts as SundownEK payload delivery and it is by no means the only subdomain that uses this FQDN for this kind of activity (sanitized by CSIS):

papersnow.cdn-cloud[.]club

woodfigure.cdn-cloud[.]club

alldistrict.cdn-cloud[.]club

bottomboard.cdn-cloud[.]club

examplewhat.cdn-cloud[.]club

lacksolvent.cdn-cloud[.]club

longregions.cdn-cloud[.]club

openlyklerk.cdn-cloud[.]club

securedcity.cdn-cloud[.]club

entirecables.cdn-cloud[.]club

nothingteach.cdn-cloud[.]club

reliesbitter.cdn-cloud[.]club

visionetmail.cdn-cloud[.]club

madridbelgium.cdn-cloud[.]club

usaconceptual.cdn-cloud[.]club

awaitingborrow.cdn-cloud[.]club

bankruptcywood.cdn-cloud[.]club

craiginsurance.cdn-cloud[.]club

encountercarry.cdn-cloud[.]club

intervalscobol.cdn-cloud[.]club

quantumsession.cdn-cloud[.]club

southeastmerit.cdn-cloud[.]club

testifiedearly.cdn-cloud[.]club

beamwordperfect.cdn-cloud[.]club

clonesdiagnosis.cdn-cloud[.]club

does-no-exist33.cdn-cloud[.]club

numberprolonged.cdn-cloud[.]club

pickingteentage.cdn-cloud[.]club

rejectedpumping.cdn-cloud[.]club

biddersoperation.cdn-cloud[.]club

corruptionspirit.cdn-cloud[.]club

criminalappealed.cdn-cloud[.]club

indexestargeting.cdn-cloud[.]club

maastrichtluxury.cdn-cloud[.]club

commissionmethane.cdn-cloud[.]club

officiallyjustice.cdn-cloud[.]club

reactiongeneration.cdn-cloud[.]club

regulatorsdefinite.cdn-cloud[.]club

descriptionsfashion.cdn-cloud[.]club

investigatorsimpose.cdn-cloud[.]club

participatetransmit.cdn-cloud[.]club

accomplishedsettings.cdn-cloud[.]club

organizingconsiderable.cdn-cloud[.]club

The domain (sanitized by CSIS) mtproto[.]world could be activated in case the domain previously mentioned is disabled.

SundownEK will try to exploit vulnerabilities in Adobe Flash Player and Internet Explorer.

If the machine has not been properly updated, a binary payload will be delivered. This will run a ransomware of the SEON class, namely version 0.2 of this malicious ransomware.

Not only that, but a slightly modified version of data stealer Pony will also be dropped.

This SEON variant adds the file extension .FIXT to all data files, both locally and on all available network drives.

Criminals request that the victims contact them via several email addresses listed in the SEON ransomware message.

Continue Reading