Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

New 'Fallout' EK Brings Return of Old Ransomware

The Fallout exploit kit carries GandCrab into the Middle East in a new campaign.

There's a new malware carrier in town, and it's bringing an old piece of ransomware with it in an initial campaign, though researchers warn that there's no reason that the new exploit kit (which was named "Fallout" by the researchers who found it) could not deliver multiple malware packages.

The Japanese security researchers, nao_sec, found the initial instance of the software they dubbed the Fallout Exploit Kit because of its similarity to the previously known Nuclear Pack Exploit Kit. The exploit kit, which nao-sec says uses CVE-2018-4878 and CVE-2018-8174, using first VBScript, then Flash vulnerabilities to infect the victim.

At the initial discovery of the kit in Japan, Smoke Loader was the malware downloader installed by Fallout. A post by researchers at FireEye says that their team also found Fallout, this time in the Middle East, where it was being used to infect systems with GandCrab ransomware. According to the FireEye researchers, Fallout fingerprints the user browser profile, searching for users in particular regions. If the victim machine is not in a targeted area, the user is redirected to a simple bad advertising site. If the user is in a region of interest, then the system is sent to a site where the process of downloading malware continues.

Code analysis shows much of the malware loader coming in code buried in <span> tags on the website pointed to by the kit. Depending on the system hit by the malicious software, the result can be ransomware (in the case of Windows systems) or PUPs (potentially unwanted programs) in the case of Mac systems. These PUPs, while not officially classed as malware, can consist of programs such as adware, unwanted browser helpers, or toolbar add-ons for browsers.

As with many malware packages, Fallout exploits vulnerabilities that have been patched in up-to-date software. According to the FireEye researchers, this is a partial explanation for the geographical targeting of the campaign because Asia, Africa, and the Middle East are areas in which systems are statistically more likely to be behind on updates and patches.

As protection against this new malware, administrators are urged to keep systems fully patched and up to date, and to stress proper online behavior to employees and system users.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Analyst at Omdia, focusing on enterprise security management. Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3500
PUBLISHED: 2021-06-24
A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file may lead to application crash and other consequences.
CVE-2020-18670
PUBLISHED: 2021-06-24
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.
CVE-2020-18671
PUBLISHED: 2021-06-24
Cross Site Scripting (XSS) vulnerability in Roundcube Mail &lt;=1.4.4 via smtp config in /installer/test.php.
CVE-2020-4885
PUBLISHED: 2021-06-24
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow a local user to access and change the configuration of Db2 due to a race condition of a symbolic link,. IBM X-Force ID: 190909.
CVE-2020-4945
PUBLISHED: 2021-06-24
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow an authenticated user to overwrite arbirary files due to improper group permissions. IBM X-Force ID: 191945.