by Joseph C. Chen
After almost two years of sporadic restricted activity, the ShadowGate campaign has started delivering cryptocurrency miners with a newly upgraded version of the Greenflash Sundown exploit kit. The campaign has been spotted targeting global victims, after operating mainly in Asia.
Background of the Greenflash Sundown exploit kit
The ShadowGate (also called WordsJS) campaign was identified in 2015. It delivered malware with exploit kits through the compromised ad servers of Revive/OpenX, a popular advertising technology company. After a takedown operation on September 2016, the campaign tried to hide their activities.
However, that same year they also developed their own exploit kit, which we named Greenflash Sundown, likely to avoid using exploit kit services from the underground market. At the end of 2016, the campaign stopped their injection attacks on the compromised ad servers and restricted their activity to spreading ransomware via compromised South Korean websites. In April 2018, ShadowGate was spotted spreading cryptocurrency miners with Greenflash Sundown. However, the injection was limited to servers in East Asian countries and soon stopped.
After a period of relatively restrained activities, we noticed ShadowGate attacking through ad servers again this June. However, these attacks were not just targeting regional victims but global ones. Visitors to websites embedded with malicious advertisements (from ..
Support the originator by clicking the read the rest link below.
