Fallout exploit kit appeared in the threat landscape in malvertising campaigns

At the end of August, security experts discovered a new exploit kit called Fallout that is being used to distribute the GandCrab ransomware.

At the end of August, the threat analyst nao_sec discovered a new exploit kit called Fallout that is being used to distribute the GandCrab ransomware and other malicious codes, including droppers and potentially unwanted programs (PUPs).

Once deployed on a compromised website, the exploit kit leverages the CVE-2018-4878 Adobe Flash Player and the CVE-2018-8174Windows VBScript engine vulnerabilities to deliver a malware on the visitors’ machines.

“At the end of August 2018, we observed a new Exploit Kit. Its behavior (code generation using html) and URL pattern are similar to Nuclear Pack Exploit Kit. Therefore we named it “Fallout Exploit Kit”. Fallout Exploit Kit is using CVE-2018-4878 and CVE-2018-8174. That code is distinctive and interesting.” reads a blog post published by nao_sec.

At the time of the discovery, the exploit kit was delivering and installing the SmokeLoader downloader that was used to download the CoalaBot and another unidentified malware.

“The exe file executed by shellcode is “Nullsoft Installer self-extracting archive”. This will run SmokeLoader and two exe files will be downloaded” continues the analysis.

The Fallout exploit kit was also observed by FireEye in a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.

The security firm observed the exploit kit installing the GandCrab Ransomware on Windows machines, it was also used to redirect macOS users to pages promoting fake antivirus software or fake Adobe Flash Players.

The exploit kit will first attempt to exploit VBScript, then it will try to exploit the Flash Player flaw.

Once the exploit code is executed, it will download and execute a Trojan onto Windows systems. The malicious code then enumerates all running processes, creates their crc32 checksums, and compare them against a list of blacklisted checksum associated with virtual machines and analysis tools such as:

vmwareuser.exe
vmwareservice.exe
vboxservice.exe
vboxtray.exe
Sandboxiedcomlaunch.exe
procmon.exe
regmon.exe
filemon.exe
wireshark.exe
netmon.exe
vmtoolsd.exe

If none of  the above processes is running on the infected machine the Trojan will download and execute a DLL that installs the GandCrab ransomware.

Further details including the IoCs are included in both reports published by FireEye and nao_sec.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Fallout exploit kit, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]