Ads on popular YouTube to MP3 converter service poisoned with exploit kit, ransomware

[The AchieVer]

Ads on popular YouTube to MP3 converter service poisoned with exploit kit, ransomware

By exploiting the source, malware can infiltrate legitimate adverts and domains.

 

 

 

 

 

Servers used to show adverts on a popular YouTube to MP3 conversion website have been compromised in order to spread the GreenFlash exploit kit and Seon ransomware.  

Malvertising is a technique used by hackers and scammers to reach a wide audience, often on legitimate domains and services. Malicious code or links will be embedded within an advertisement which is then displayed to unwitting website visitors, and should they click the link, they may be directed to a fraudulent website or be issued a malicious payload. 

 

The problem with malvertising is that sometimes malicious ads will slip through the net and legitimate domains that rely on adverts for revenue will become the distributors of malware without realizing it. 

Examples of successful malvertising campaigns include VeryMal, a campaign which specifically focused on Apple users as well as the compromise of domains belonging to The New York Times, BBC, AOL, and MSN.  

It is estimated that in 2017 alone, malvertising made possible through steganography -- a way to hide malicious code in images -- cost ad networks $1.13 billion.  

Malvertising is still very much alive, as shown in the recent spread of the GreenFlash Sundown exploit kit through a large and recent campaign. 

 

 

In a blog post, Malwarebytes researcher Jérôme Segura said on Wednesday that the exploit kit, deemed "elusive" and generally only spotted in Asia, is now expanding.  

The malware has been spread through servers used to deliver ads by multiple publishers, including on onlinevideoconverter[.]com, a service which transforms YouTube videos into audio files. This website alone caters for over 200 million users per month, according to SimilarWeb.  

 

Visitors are sent to the exploit kit, but only if their system passes a number of checks designed to avoid virtual machines (VMs).

Malicious code is concealed within a fake .GIF image which contains obfuscated JavaScript. The script links to a fastimage website that delivers the malicious payload through another redirect to an adfast website. A Flash object contains the malware and executes it via PowerShell.

 

If successful, the exploit will drop the Seon ransomware, which was first observed in the wild in late 2018. The ransomware encrypts a system's files and demands a Bitcoin-based ransom, and will also delete Shadow Volume copies on disk to prevent the recovery of data.  

.FIXT is appended to the end of encrypted files.  

While victims debate whether or not to pay the ransom, the malvertising scheme isn't finished yet -- as alongside the ransomware, the payload also delivers a cryptocurrency miner and Pony, a data stealer.  

 

Previous investigations into the exploit kit limited the malware's spread to within South Korea's borders. However, Malwarebytes said that the latest campaign has moved towards the US and Europe. 

ZDNet has reached out to Online Video Converter but has not heard back at the time of publication.

 

 

Source

[steven36]

This use to be a bad problem on link shortner  sites were  Warez sites use to get paid and to hide there links from bots and Kodi. These kind od sites are bad to use Anti ADblock code witch requires extra extensions to block  the ads and make the site usable.  Glad to see there attacking  something else fact is YouTube to MP3 websites are not needed on desktop  were have power shell  for this malware to run.  You can use  Invidious and download the audio file mp4 or webm and convert it  to mp3 yourself  if you want witch is way better than YouTube because its open source and has no ads at all its funded by donations only . Google sites ads is no better than YouTube to MP3 sites ads because people exploit Google sites too also other legit Tube sites it  happen too before , also it happen on news sites  it could even happen to ZDNet anywhere there is ads it could be exploited and you never know when they going to strike.

 

. That's what and adblocker is for. You can also use XDM  download manger witch is free  and it will download YouTube  and convert it to mp3  it has a encoder built into the download manger.  Only way i would keep anything from YouTube is if  no other place had it in better quality I would only use it as a last resort . i have a few Concerts  witch are the videos now i  no longer use YouTube i use  Invidious witch is Google Videos with it invading my privacy I can download the videos right from Google on that site. I have user scripts were if you post a YouTube video or link I don't see it only I see Invidious . I block Youtube  with a script blocker so it cant track me. 

 

Its nothing new  last year exploits costed the ad industry $1.13bn dollars

https://www.zdnet.com/article/malicious-code-hidden-in-advert-images-cost-ad-networks-1-13bn-last-year/