Greenflash Sundown Ransomware
This ransomware was first observed in 2015. Greenflash Sundown (also known as Greenflash or GS) is an advanced exploit kit used in the ShadowGate malware campaign. Believed to have been created by ShadowGate’s operators as an evolution of the older Sundown exploit kit, it features updated exploit code as well as new delivery techniques.
Greenflash Sundown delivers payloads directly to targeted systems via malicious adverts hosted on previously compromised web servers. When a user visits a site with these adverts, Greenflash Sundown will identify their system before deploying a suitable exploit. If successful, it will then attempt to install and execute RC4 encrypted payloads.
At the time of publication, Greenflash Sundown is delivering an unnamed ransomware tool along with several secondary payloads, including cryptocurrency miners and the Pony spyware.
One of the affected publishers is onlinevideoconverter[.]com, a popular site to convert videos from YouTube and other platforms into files. According to SimilarWeb, it drives 200 million visitors per month.
For further information:
Indicators of Compromise
IP Addresses
- 104.248.42[.]143
- 172.105.66[.]231
- 198.211.126[.]118
URLs
- ad4989[.]world
- adsfast[.]info
- adsfast[.]site
- cdn-cloud[.]club
- fastimage[.]site
Filenames
- hp_3.exe
- hp_6.exe
SHA256 File Hashes
- aeb073b5ee2e083aba987c7fcaab7265aabe6e5e2cade821db6d46e406e21e95
- 58002d0b8acd1a539503d8ea02ff398e7ad079e0b856087f0ca30d767588be4e
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.