[Trend Micro](https://www.trendmicro.com/) [About TrendLabs Security Intelligence Blog](https://blog.trendmicro.com/trendlabs-security-intelligence/about-us/) Search: Go to… [Home](http://blog.trendmicro.com/trendlabs-security-intelligence/) Categories [Home » Exploits » ShadowGate Returns to Worldwide Operations With Evolved Greenflash Sundown](https://blog.trendmicro.com/trendlabs-security-intelligence/) Exploit Kit # ShadowGate Returns to Worldwide Operations With Evolved Greenflash Sundown Exploit Kit [Posted on:June 27, 2019 at 7:16 am](https://blog.trendmicro.com/trendlabs-security-intelligence/2019/06/) [Posted in:Exploits](https://blog.trendmicro.com/trendlabs-security-intelligence/category/exploits/) Author: [Joseph C Chen (Fraud Researcher)](https://blog.trendmicro.com/trendlabs-security-intelligence/author/josephcchen/) 0 After almost two years of sporadic restricted activity, the ShadowGate campaign has started delivering cryptocurrency miners with a newly upgraded version of the Greenflash Sundown [exploit kit. The campaign](https://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/) has been spotted targeting global victims, after operating mainly in Asia. **_Background of the Greenflash Sundown exploit kit_** Go to… ----- kits through the compromised ad servers of Revive/OpenX advertising software. After a [takedown operation](https://blog.talosintelligence.com/2016/09/shadowgate-takedown.html) on September 2016, the campaign tried to hide their activities. [However, that same year they also developed their own exploit kit, which we named Greenflash Sundown,](https://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/) likely to avoid using exploit kit services from the underground market. At the end of 2016, the campaign stopped their injection attacks on the compromised ad servers and restricted their activity to spreading ransomware via compromised [South Korean websites. In April 2018, ShadowGate was spotted](https://asec.ahnlab.com/1199) spreading cryptocurrency miners with Greenflash Sundown. However, the injection was limited to servers in East Asian countries and soon stopped. After a period of relatively restrained activities, we noticed ShadowGate attacking through ad servers again this June. However, these attacks were not just targeting regional victims but global ones. Visitors to websites embedded with malicious advertisements (from the compromised ad servers) were redirected to the Greenflash Sundown exploit kit and infected with a Monero cryptocurrency miner. This is the most notable activity we have seen from this group since 2016. Despite their low profile over the past couple of years, it seems that they have been continuously developing and evolving their exploit kit. Below is a report on how the Greenflash Sundown exploit kit has changed since we discovered it in 2016, including details of their latest activity. **_Greenflash Sundown refined evasion and targeting techniques_** ShadowGate is invested in the continuous development of their exploit kit. In 2018, Greenflash Sundown was [spotted integrating the Flash exploit for CVE-2018-4878 prior to other exploit kits. Greenflash Sundown was](https://malware.dontneedcoffee.com/2018/03/CVE-2018-4878.html) then [identified using another Flash exploit for CVE-2018-15982 this April. The continuous updates of the kit](https://twitter.com/vigilantbeluga/status/1114216872725995520) to include new exploits allows it to maintain its infection rate. _Figure 1. Attack flow of ShadowGate and the Greenflash Sundown exploit kit_ ----- _Figure 2. Timeline of ShadowGate Activity (data from Trend Micro Smart Protection Network)_ _Figure 3. Country distribution of ShadowGate Activity (data from Trend Micro Smart Protection Network_ _from June 7, 2019 to June 24, 2019)_ During the latest attack of ShadowGate that started this June, we found that they had another version of the Greenflash Sundown exploit kit with two updates. _Figure 4. Greenflash Sundown exploit kit traffic pattern (top) and exploits for CVE-2018-15982 (Flash_ _version 31.0.0.153) (bottom)_ The first change involves the integration of a [public key encryption algorithm to protect their exploit kit](https://www.khanacademy.org/computing/ap-computer-science-principles/the-internet/tls-secure-data-transport/a/public-key-encryption) payload. Last November, we saw that this exploit kit used the same encryption technique to protect their malware payload during the last infection stage. However, this time they used the encryption from the first f i ti t t ll f th i t ffi d i i f ti ----- a unique secret key during each attack. The secret key will be encrypted by a public key and then securely sent to the exploit kit. The exploit kit — using a private key — can recover the secret key and use it to encrypt the malicious payload that will be delivered with the [RC4 algorithm (a cipher algorithm requiring a](https://www.vocal.com/cryptography/rc4-encryption-algoritm/) shared key for decryption). The payload will then be sent to the victim, who will decrypt it with the secret keys. This encryption technique is supposed to prevent security solutions from detecting their malicious payload as it is transferred to the victim. In theory, because the secret key only exists in memory and is not supposed to be transferred directly in plaintext, it is difficult for a threat analyst to find the secret key and decrypt the malicious payload. The use of public key encryption algorithm was also seen in the [exploit kit Underminer, which we discovered](https://blog.trendmicro.com/trendlabs-security-intelligence/new-underminer-exploit-kit-delivers-bootkit-and-cryptocurrency-mining-malware-with-encrypted-tcp-tunnel/) last year. However, we found that the hackers behind the Greenflash Sundown exploit kit made a mistake with their encryption. They used the generated nonce not only for generating the secret key but also as a key [of RC4 to encrypt victim’s WebGL information before sending it to exploit kit server. The generated nonce](https://get.webgl.org/) was actually sent in plaintext during their communication, which makes it accessible and readable. With the nonce, it becomes possible to reproduce the secret key and decrypt the malicious payload offline. _[Figure 5. The Greenflash Sundown exploit kit encrypts the secret key with JSEncrypt library (deobfuscated)](https://github.com/travist/jsencrypt)_ The latest version of the Greenflash Sundown exploit kit also features an updated PowerShell loader. Since November 2018, we noticed the exploit kit started to use a PowerShell loader, which makes it capable of [fileless malware infection. The upgraded loader in this new version is now capable of collecting a profile of](https://www.trendmicro.com/vinfo/pl/security/news/security-technology/security-101-the-rise-of-fileless-threats-that-abuse-powershell) the victim’s environment and sending the information to the exploit kit server. This allows its operators to be more precise in their targeting. If the victim’s profile fits their specifications, the malware will deliver its payload. Otherwise, the server will return an empty response. The upgrade also helps them avoid sandboxes or honeypots that can capture their malware. The information taken from the victim includes OS details, user name, video card, hard disk information, and antivirus products. _Figure 6. The PowerShell loader sends victim’s profile and loads a malware payload with fileless infection_ **_Recommendations and Solutions_** ----- targets. These criminals sometimes spend years refining their attacks, as seen with Greenflash Sundown. To stay ahead of the curve, users should always keep their systems and applications updated to the latest version. The vulnerabilities targeted by these exploit kits usually have available fixes, so applying a solid patching and update strategy mitigates much of the risk. To further strengthen security, enterprises are also advised to enable a [multilayered protection system that can actively block threats and malicious URLs from the gateway](https://www.trendmicro.com/en_us/business.html) to the endpoint. [A proactive, multilayered approach to security is key against threats that exploit vulnerabilities.](https://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/index.html) Trend Micro [Deep Security and Trend Micro™ Vulnerability Protection also provide](https://www.trendmicro.com/us/enterprise/product-security/vulnerability-protection/) [virtual patching that protects servers](https://www.trendmicro.com/us/enterprise/product-security/vulnerability-protection/) and endpoints from threats that abuse vulnerabilities in critical applications or websites. Trend Micro customers are protected by the following Deep Security rule: 1009405-Adobe Flash Player Use After Free Vulnerability (CVE-2018-15982) [Trend Micro™ OfficeScan™ with](http://www.trendmicro.com/us/enterprise/product-security/officescan/) [XGen™ endpoint security has](http://www.trendmicro.com/us/business/xgen/index.html) [Vulnerability Protection that shields](https://www.trendmicro.com/us/enterprise/product-security/vulnerability-protection/) [endpoints from identified and unknown vulnerability exploits even before patches are even deployed.](http://www.trendmicro.com/us/business/complete-user-protection/index.html) Trend Micro™ Smart Protection Suites and [Worry-Free™ Business Security protect end users and businesses from](http://www.trendmicro.com/us/small-business/product-security/) these threats by detecting and blocking malicious files and all related malicious URLs. **_Additional insights from Chaoying Liu and Nakaya Yoshihiro_** This was also earlier [reported by Malwarebytes.](https://blog.malwarebytes.com/threat-analysis/2019/06/greenflash-sundown-exploit-kit-expands-via-large-malvertising-campaign/) **_Indicators of Compromise_** **File** **Indicator** **Detection** **name** ShadowGate/WordsJS fastimage[.]site malicious domain ShadowGate/WordsJS ad4989[.]world malicious domain GreenFlash Sundown EK adsfast[.]site domain GreenFlash Sundown EK adsfast[.]info domain GreenFlash Sundown EK cdn-cloud[.]club domain aeb073b5ee2e083aba987c7fcaab7265aabe6e5e2cade821db6d46e4 Coinminer.Win32.MALXMR.S hp_3.e 06e21e95 MBM4 xe 58002d0b8acd1a539503d8ea02ff398e7ad079e0b856087f0ca30d76 Coinminer.Win64.TOOLXMR. hp_6.e 7588be4e SMA xe _Updated July 1, 4:20PM: Updated to clarify the product of Revive/OpenX that was compromised._ Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: [ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html) » [SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html) » [HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html) » ----- ## Security Predictions for 2020 Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats. [Read our security predictions for 2020.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2020) ## Business Process Compromise Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, [read our Security 101: Business Process Compromise.](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-business-process-compromise) ## Recent Posts [Outlaw Updates Kit to Kill Older Miner Versions, Targets More Systems](https://blog.trendmicro.com/trendlabs-security-intelligence/outlaw-updates-kit-to-kill-older-miner-versions-targets-more-systems/) [Malicious Optimizer and Utility Android Apps on Google Play Communicate with Trojans that Install](https://blog.trendmicro.com/trendlabs-security-intelligence/malicious-apps-on-google-play-communicate-with-trojans-install-malware-perform-mobile-ad-fraud/) Malware, Perform Mobile Ad Fraud [Security Analysis of Devices That Support SCPI and VISA Protocols](https://blog.trendmicro.com/trendlabs-security-intelligence/security-analysis-of-devices-that-support-scpi-and-visa-protocols/) [January Patch Tuesday: Update List Includes Fixes for Internet Explorer, Remote Desktop,](https://blog.trendmicro.com/trendlabs-security-intelligence/january-patch-tuesday-update-list-includes-fixes-for-internet-explorer-remote-desktop-cryptographic-bugs/) Cryptographic Bugs [First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT](https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/) Group ## Popular Posts [Security Analysis of Devices That Support SCPI and VISA Protocols](https://blog.trendmicro.com/trendlabs-security-intelligence/security-analysis-of-devices-that-support-scpi-and-visa-protocols/) [January Patch Tuesday: Update List Includes Fixes for Internet Explorer, Remote Desktop,](https://blog.trendmicro.com/trendlabs-security-intelligence/january-patch-tuesday-update-list-includes-fixes-for-internet-explorer-remote-desktop-cryptographic-bugs/) Cryptographic Bugs [First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT](https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/) Group [Why Running a Privileged Container in Docker Is a Bad Idea](https://blog.trendmicro.com/trendlabs-security-intelligence/why-running-a-privileged-container-in-docker-is-a-bad-idea/) [Looking into Attacks and Techniques Used Against WordPress Sites](https://blog.trendmicro.com/trendlabs-security-intelligence/looking-into-attacks-and-techniques-used-against-wordpress-sites/) ## Stay Updated Email Subscription ----- [Home and Home Office](http://www.trendmicro.com/us/home/index.html) | [For Business](http://www.trendmicro.com/us/business/index.html) | [Security Intelligence](http://www.trendmicro.com/us/security-intelligence/index.html) | [About Trend Micro](http://www.trendmicro.com/us/about-us/index.html) [Asia Pacific Region (APAC): Australia /](http://www.trendmicro.com.au/au/home/index.html) [New Zealand, 中国, ⽇本, 대한민국, 台灣](http://www.trendmicro.co.nz/nz/home/index.html) Latin America Region (LAR): [Brasil, México](http://br.trendmicro.com/br/home/index.html) North America Region (NABU): [United States, Canada](http://www.trendmicro.com/us/index.html) Europe, Middle East, & Africa Region (EMEA): [France, Deutschland / Österreich / Schweiz, Italia,](http://www.trendmicro.fr/) [Россия, España, United Kingdom / Ireland](http://www.trendmicro.com.ru/) [Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html) Copyright © 2020 Trend Micro Incorporated. All rights reserved. -----