Attacks/Breaches

New 'Fallout' EK Brings Return of Old Ransomware

The Fallout exploit kit carries GandCrab into the Middle East in a new campaign.

There's a new malware carrier in town, and it's bringing an old piece of ransomware with it in an initial campaign, though researchers warn that there's no reason that the new exploit kit (which was named "Fallout" by the researchers who found it) could not deliver multiple malware packages.

The Japanese security researchers, nao_sec, found the initial instance of the software they dubbed the Fallout Exploit Kit because of its similarity to the previously known Nuclear Pack Exploit Kit. The exploit kit, which nao-sec says uses CVE-2018-4878 and CVE-2018-8174, using first VBScript, then Flash vulnerabilities to infect the victim.

At the initial discovery of the kit in Japan, Smoke Loader was the malware downloader installed by Fallout. A post by researchers at FireEye says that their team also found Fallout, this time in the Middle East, where it was being used to infect systems with GandCrab ransomware. According to the FireEye researchers, Fallout fingerprints the user browser profile, searching for users in particular regions. If the victim machine is not in a targeted area, the user is redirected to a simple bad advertising site. If the user is in a region of interest, then the system is sent to a site where the process of downloading malware continues.

Code analysis shows much of the malware loader coming in code buried in <span> tags on the website pointed to by the kit. Depending on the system hit by the malicious software, the result can be ransomware (in the case of Windows systems) or PUPs (potentially unwanted programs) in the case of Mac systems. These PUPs, while not officially classed as malware, can consist of programs such as adware, unwanted browser helpers, or toolbar add-ons for browsers.

As with many malware packages, Fallout exploits vulnerabilities that have been patched in up-to-date software. According to the FireEye researchers, this is a partial explanation for the geographical targeting of the campaign because Asia, Africa, and the Middle East are areas in which systems are statistically more likely to be behind on updates and patches.

As protection against this new malware, administrators are urged to keep systems fully patched and up to date, and to stress proper online behavior to employees and system users.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11469
PUBLISHED: 2019-04-23
Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the &quot;Execute Program Action(s)&quot; feature.
CVE-2013-7470
PUBLISHED: 2019-04-23
cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel before 3.11.7, when CONFIG_NETLABEL is disabled, allows attackers to cause a denial of service (infinite loop and crash), as demonstrated by icmpsic, a different vulnerability than CVE-2013-0310.
CVE-2019-11463
PUBLISHED: 2019-04-23
A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive through 3.3.3 allows remote attackers to cause a denial of service via a crafted ZIP file because of a HAVE_LZMA_H typo.
CVE-2019-0218
PUBLISHED: 2019-04-22
A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.
CVE-2019-11383
PUBLISHED: 2019-04-22
An issue was discovered in the Medha WiFi FTP Server application 1.8.3 for Android. An attacker can read the username/password of a valid user via /data/data/com.medhaapps.wififtpserver/shared_prefs/com.medhaapps.wififtpserver_preferences.xml