Ads on popular YouTube to MP3 converter service poisoned with exploit kit, ransomware

By exploiting the source, malware can infiltrate legitimate adverts and domains.
Written by Charlie Osborne, Contributing Writer

Servers used to show adverts on a popular YouTube to MP3 conversion website have been compromised in order to spread the GreenFlash exploit kit and Seon ransomware. 

Malvertising is a technique used by hackers and scammers to reach a wide audience, often on legitimate domains and services. Malicious code or links will be embedded within an advertisement which is then displayed to unwitting website visitors, and should they click the link, they may be directed to a fraudulent website or be issued a malicious payload. 

The problem with malvertising is that sometimes malicious ads will slip through the net and legitimate domains that rely on adverts for revenue will become the distributors of malware without realizing it. 

Examples of successful malvertising campaigns include VeryMal, a campaign which specifically focused on Apple users as well as the compromise of domains belonging to The New York Times, BBC, AOL, and MSN. 

It is estimated that in 2017 alone, malvertising made possible through steganography -- a way to hide malicious code in images -- cost ad networks $1.13 billion

Malvertising is still very much alive, as shown in the recent spread of the GreenFlash Sundown exploit kit through a large and recent campaign.

CNET: LG is working on 5G robot security guards

In a blog post, Malwarebytes researcher Jérôme Segura said on Wednesday that the exploit kit, deemed "elusive" and generally only spotted in Asia, is now expanding. 

The malware has been spread through servers used to deliver ads by multiple publishers, including on onlinevideoconverter[.]com, a service which transforms YouTube videos into audio files. This website alone caters for over 200 million users per month, according to SimilarWeb. 

Visitors are sent to the exploit kit, but only if their system passes a number of checks designed to avoid virtual machines (VMs).

Malicious code is concealed within a fake .GIF image which contains obfuscated JavaScript. The script links to a fastimage website that delivers the malicious payload through another redirect to an adfast website. A Flash object contains the malware and executes it via PowerShell.

TechRepublic: Docker containers are filled with vulnerabilities: Here's how the top 1,000 fared

If successful, the exploit will drop the Seon ransomware, which was first observed in the wild in late 2018. The ransomware encrypts a system's files and demands a Bitcoin-based ransom, and will also delete Shadow Volume copies on disk to prevent the recovery of data. 

.FIXT is appended to the end of encrypted files. 

While victims debate whether or not to pay the ransom, the malvertising scheme isn't finished yet -- as alongside the ransomware, the payload also delivers a cryptocurrency miner and Pony, a data stealer. 

See also: UK ransomware firm 'helps' victims by paying off hackers, tacking on massive fee

Previous investigations into the exploit kit limited the malware's spread to within South Korea's borders. However, Malwarebytes said that the latest campaign has moved towards the US and Europe.

Online Video Converter told ZDNet, "We have only just been made known of the issue, and have currently disabled our ad server while looking further into the issue."

Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards