430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Fallout exploit kit appeared in the threat landscape in malvertising campaigns

At the end of August, security experts discovered a new exploit kit called Fallout that is being used to distribute the GandCrab ransomware. At the end of August, the threat analyst nao_sec discovered a new exploit kit called Fallout that is being used to distribute the GandCrab ransomware and other malicious codes, including droppers and potentially unwanted […]

fallout exploit kit

At the end of August, security experts discovered a new exploit kit called Fallout that is being used to distribute the GandCrab ransomware.

At the end of August, the threat analyst nao_sec discovered a new exploit kit called Fallout that is being used to distribute the GandCrab ransomware and other malicious codes, including droppers and potentially unwanted programs (PUPs).

Once deployed on a compromised website, the exploit kit leverages the CVE-2018-4878 Adobe Flash Player and the CVE-2018-8174Windows VBScript engine vulnerabilities to deliver a malware on the visitors’ machines.

“At the end of August 2018, we observed a new Exploit Kit. Its behavior (code generation using html) and URL pattern are similar to Nuclear Pack Exploit Kit. Therefore we named it “Fallout Exploit Kit”. Fallout Exploit Kit is using CVE-2018-4878 and CVE-2018-8174. That code is distinctive and interesting.” reads a blog post published by nao_sec.

At the time of the discovery, the exploit kit was delivering and installing the SmokeLoader downloader that was used to download the CoalaBot and another unidentified malware.

“The exe file executed by shellcode is “Nullsoft Installer self-extracting archive”. This will run SmokeLoader and two exe files will be downloaded” continues the analysis.

The Fallout exploit kit was also observed by FireEye in a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.

The security firm observed the exploit kit installing the GandCrab Ransomware on Windows machines, it was also used to redirect macOS users to pages promoting fake antivirus software or fake Adobe Flash Players.

fallout exploit kit

The exploit kit will first attempt to exploit VBScript, then it will try to exploit the Flash Player flaw.

Once the exploit code is executed, it will download and execute a Trojan onto Windows systems. The malicious code then enumerates all running processes, creates their crc32 checksums, and compare them against a list of blacklisted checksum associated with virtual machines and analysis tools such as:

vmwareuser.exe
vmwareservice.exe
vboxservice.exe
vboxtray.exe
Sandboxiedcomlaunch.exe
procmon.exe
regmon.exe
filemon.exe
wireshark.exe
netmon.exe
vmtoolsd.exe

If none of  the above processes is running on the infected machine the Trojan will download and execute a DLL that installs the GandCrab ransomware.

Further details including the IoCs are included in both reports published by FireEye and nao_sec.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Fallout exploit kit, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]