Attacks/Breaches

New 'Fallout' EK Brings Return of Old Ransomware

The Fallout exploit kit carries GandCrab into the Middle East in a new campaign.

There's a new malware carrier in town, and it's bringing an old piece of ransomware with it in an initial campaign, though researchers warn that there's no reason that the new exploit kit (which was named "Fallout" by the researchers who found it) could not deliver multiple malware packages.

The Japanese security researchers, nao_sec, found the initial instance of the software they dubbed the Fallout Exploit Kit because of its similarity to the previously known Nuclear Pack Exploit Kit. The exploit kit, which nao-sec says uses CVE-2018-4878 and CVE-2018-8174, using first VBScript, then Flash vulnerabilities to infect the victim.

At the initial discovery of the kit in Japan, Smoke Loader was the malware downloader installed by Fallout. A post by researchers at FireEye says that their team also found Fallout, this time in the Middle East, where it was being used to infect systems with GandCrab ransomware. According to the FireEye researchers, Fallout fingerprints the user browser profile, searching for users in particular regions. If the victim machine is not in a targeted area, the user is redirected to a simple bad advertising site. If the user is in a region of interest, then the system is sent to a site where the process of downloading malware continues.

Code analysis shows much of the malware loader coming in code buried in <span> tags on the website pointed to by the kit. Depending on the system hit by the malicious software, the result can be ransomware (in the case of Windows systems) or PUPs (potentially unwanted programs) in the case of Mac systems. These PUPs, while not officially classed as malware, can consist of programs such as adware, unwanted browser helpers, or toolbar add-ons for browsers.

As with many malware packages, Fallout exploits vulnerabilities that have been patched in up-to-date software. According to the FireEye researchers, this is a partial explanation for the geographical targeting of the campaign because Asia, Africa, and the Middle East are areas in which systems are statistically more likely to be behind on updates and patches.

As protection against this new malware, administrators are urged to keep systems fully patched and up to date, and to stress proper online behavior to employees and system users.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&amp;c=admin&amp;a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.