Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

New 'Fallout' EK Brings Return of Old Ransomware

The Fallout exploit kit carries GandCrab into the Middle East in a new campaign.

There's a new malware carrier in town, and it's bringing an old piece of ransomware with it in an initial campaign, though researchers warn that there's no reason that the new exploit kit (which was named "Fallout" by the researchers who found it) could not deliver multiple malware packages.

The Japanese security researchers, nao_sec, found the initial instance of the software they dubbed the Fallout Exploit Kit because of its similarity to the previously known Nuclear Pack Exploit Kit. The exploit kit, which nao-sec says uses CVE-2018-4878 and CVE-2018-8174, using first VBScript, then Flash vulnerabilities to infect the victim.

At the initial discovery of the kit in Japan, Smoke Loader was the malware downloader installed by Fallout. A post by researchers at FireEye says that their team also found Fallout, this time in the Middle East, where it was being used to infect systems with GandCrab ransomware. According to the FireEye researchers, Fallout fingerprints the user browser profile, searching for users in particular regions. If the victim machine is not in a targeted area, the user is redirected to a simple bad advertising site. If the user is in a region of interest, then the system is sent to a site where the process of downloading malware continues.

Code analysis shows much of the malware loader coming in code buried in <span> tags on the website pointed to by the kit. Depending on the system hit by the malicious software, the result can be ransomware (in the case of Windows systems) or PUPs (potentially unwanted programs) in the case of Mac systems. These PUPs, while not officially classed as malware, can consist of programs such as adware, unwanted browser helpers, or toolbar add-ons for browsers.

As with many malware packages, Fallout exploits vulnerabilities that have been patched in up-to-date software. According to the FireEye researchers, this is a partial explanation for the geographical targeting of the campaign because Asia, Africa, and the Middle East are areas in which systems are statistically more likely to be behind on updates and patches.

As protection against this new malware, administrators are urged to keep systems fully patched and up to date, and to stress proper online behavior to employees and system users.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27852
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in the survey feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via a textarea field. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
CVE-2021-3137
PUBLISHED: 2021-01-20
XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section.
CVE-2020-27850
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in forms import feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via the import of a GF form. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
CVE-2020-27851
PUBLISHED: 2021-01-20
Multiple stored HTML injection vulnerabilities in the &quot;poll&quot; and &quot;quiz&quot; features in an additional paid add-on of Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary HTML code via poll or quiz answers. This code is interpreted by users in a privile...
CVE-2020-13134
PUBLISHED: 2021-01-20
Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) admin users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1...