Security Alert: Malvertising campaign using SundownEK drops SEON ransomware

Contents:

The advertising systems of several popular websites have been compromised by an injection of a malicious script that redirects random visitors to a SundownEK gateway.

Then, non-updated systems are prone to ransomware infections.

The respective injection redirects the traffic via the following chain (sanitized by CSIS):

fastimage[.]site

–> adsfast[.]site

–> accomplishedsettings.cdn-cloud[.]club

The latter acts as SundownEK payload delivery and it is by no means the only subdomain that uses this FQDN for this kind of activity (sanitized by CSIS):

papersnow.cdn-cloud[.]club

woodfigure.cdn-cloud[.]club

alldistrict.cdn-cloud[.]club

bottomboard.cdn-cloud[.]club

examplewhat.cdn-cloud[.]club

lacksolvent.cdn-cloud[.]club

longregions.cdn-cloud[.]club

openlyklerk.cdn-cloud[.]club

securedcity.cdn-cloud[.]club

entirecables.cdn-cloud[.]club

nothingteach.cdn-cloud[.]club

reliesbitter.cdn-cloud[.]club

visionetmail.cdn-cloud[.]club

madridbelgium.cdn-cloud[.]club

usaconceptual.cdn-cloud[.]club

awaitingborrow.cdn-cloud[.]club

bankruptcywood.cdn-cloud[.]club

craiginsurance.cdn-cloud[.]club

encountercarry.cdn-cloud[.]club

intervalscobol.cdn-cloud[.]club

quantumsession.cdn-cloud[.]club

southeastmerit.cdn-cloud[.]club

testifiedearly.cdn-cloud[.]club

beamwordperfect.cdn-cloud[.]club

clonesdiagnosis.cdn-cloud[.]club

does-no-exist33.cdn-cloud[.]club

numberprolonged.cdn-cloud[.]club

pickingteentage.cdn-cloud[.]club

rejectedpumping.cdn-cloud[.]club

biddersoperation.cdn-cloud[.]club

corruptionspirit.cdn-cloud[.]club

criminalappealed.cdn-cloud[.]club

indexestargeting.cdn-cloud[.]club

maastrichtluxury.cdn-cloud[.]club

commissionmethane.cdn-cloud[.]club

officiallyjustice.cdn-cloud[.]club

reactiongeneration.cdn-cloud[.]club

regulatorsdefinite.cdn-cloud[.]club

descriptionsfashion.cdn-cloud[.]club

investigatorsimpose.cdn-cloud[.]club

participatetransmit.cdn-cloud[.]club

accomplishedsettings.cdn-cloud[.]club

organizingconsiderable.cdn-cloud[.]club

The domain (sanitized by CSIS) mtproto[.]world could be activated in case the domain previously mentioned is disabled.

SundownEK will try to exploit vulnerabilities in Adobe Flash Player and Internet Explorer.

If the machine has not been properly updated, a binary payload will be delivered. This will run ransomware of the SEON class, namely version 0.2 of this malicious ransomware.

Not only that, but a slightly modified version of data stealer Pony will also be dropped.

This SEON variant adds the file extension .FIXT to all data files, both locally and on all available network drives.

Criminals request that the victims contact them via several email addresses listed in the SEON ransomware message.

All folders that have had data encrypted by SEON ransomware contain a text file with the following note:

—

SEON RANSOMWARE ver 0.2

all your files has been encrypted

there is only way to get your files back: contact with us, get decryptor software and pay

We accept Bitcoin and other cryptocurrencies

You can decrypt 1 file for free

Our contact emails:

[removed by CSIS]-

—

Heimdal blocks the related domains, so all Thor Home and Thor Enterprise users are safe.

The security guide you need to follow so you don’t risk losing your data

There is no guarantee that a key for the SEON Ransomware will be provided by this group in exchange for money.

And even if the malicious group actually provided a key that decrypts your files, you should not be paying them. By offering them money, you are encouraging this type of criminal online behavior.

As per our knowledge, currently, there is no free decryption tool available for SEON.

So, here are the steps you need to follow to stay protected against the SEON ransomware (and other ransomware strains in general):

#1. Make sure you always apply updates to your system, software, and apps.

In this specific case, check if you are running the latest version of Adobe Flash Player and IE. Or use a solution that closes security holes in your software through automatic patching, like Heimdal™ Free.

#2. Always back up your files.

If you have a copy of your files stored somewhere, either on an external hard drive or in the Cloud, the ransomware attack wouldn’t mean that much to you. Well, of course, you would have to start out with a fresh PC installation, but at least you still have access to your backed-up important documents.

This guide will show you how to back up your files.

#3. Have a good security solution running on your PC.

Use a proactive, anti-malware solution that detects threats before they happen. Malware is specially developed to bypass your traditional antivirus, but if you add additional security layers, you can rest assured you are safe.

For example, Thor Foresight Home always protects you against ransomware attacks, because it filters your Internet traffic and blocks ransomware distribution sources. Also, it automatically updates your apps, so you don’t have to worry about it. And it works great alongside any other antivirus software.

The easy way to protect yourself against malware

Here's 1 month of Heimdal™ Threat Prevention Home, on the house!

Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe

EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.

Download Free Trial

NO CREDIT CARD REQUIRED

#4. DO NOT pay the ransom.

I’ve said this before and I’ll say it again: whatever you do, just don’t pay the ransom!

*This article features cyber intelligence provided by CSIS Security Group researchers.

Bianca Soare

Enthusiastic about all things tech and content marketing.