Fallout Exploit Kit now includes exploit for CVE-2018-15982 Flash zero-day

Experts at Malwarebytes have reported that the code for the recently discovered Flash zero-day flaw was added to the Fallout Exploit kit.

Experts at Malwarebytes observed a new version of the Fallout Exploit kit that include the code to exploit a recently discovered Flash zero-day vulnerability.

The Fallout Exploit kit was discovered at the end of August by the threat analyst nao_sec, at the time it was used to distribute the GandCrab ransomware and other malicious codes, including droppers and potentially unwanted programs (PUPs).

First detailed in September 2018, the toolkit was observed delivering malware families ranging from ransomware to backdoors, but also fingerprinting the browser profile to identify targets of interest.

The activity associated with the Fallout exploit kit was temporarily suspended in early January, likely to improve it, in the same period experts at Malwarebytes observed an increase in the RIG EK activity.

The Fallout EK was distributed mainly via malvertising chains, starting January 15 it was used to deliver the GandCrab ransomware.

“After a short hiatus in early January, the Fallout exploit kit is back in business again with some new features for the new year.” reads the post published by Malwarebytes.

“The revised Fallout EK boasts several new features, including integration of the most recent Flash Player exploit. Security researcher Kafeine identified that Fallout is now the second exploit kit to add CVE-2018-15982.”

One of the most important improvements for the Fallout Exploit kit is the exploit for a recently discovered Adobe Flash Player zero-day tracked as
CVE-2018-15982.

The CVE-2018-15982 flaw is a critical use-after-free bug that was exploited by an advanced persistent threat actor in attacks aimed at a healthcare organization associated with the Russian presidential administration.

The flaw could be exploited by attackers to execute arbitrary code, Adobe addressed it with the release of Flash Player 32.0.0.101 for Windows, macOS, Linux, and Chrome OS.

The first exploit kit that integrated the code to trigger the CVE-2018-15982 flaw in mid-December was Underminer.

The new Fallout Exploit kit implements the support for HTTPS support, a new landing page format, and uses Powershell to run the final payload.

“The Base64 encoded Powershell command calls out the payload URL and loads it in its own way” continues the analysis. ”
“This technique is most likely an attempt at evasion, as traditionally we’d expect the Internet Explorer process to drop the payload.”

The new development for the Fallout Exploit kit demonstrates the malware developers continously monitor

This development is the proof that exploit kit developers are continuously improving their code to trigger the most recent flaws.

Pierluigi Paganini

(SecurityAffairs – Fallout Exploit kit, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

Share On