At the end of August, the threat analyst nao_sec discovered a new exploit kit called Fallout that is being used to distribute the GandCrab ransomware and other malicious codes, including droppers and potentially unwanted programs (PUPs).
Once deployed on a compromised website, the exploit kit leverages the CVE-2018-4878 Adobe Flash Player and the CVE-2018-8174Windows VBScript engine vulnerabilities to deliver a malware on the visitors’ machines.
“At the end of August 2018, we observed a new Exploit Kit. Its behavior (code generation using html) and URL pattern are similar to Nuclear Pack Exploit Kit. Therefore we named it “Fallout Exploit Kit”. Fallout Exploit Kit is using CVE-2018-4878 and CVE-2018-8174. That code is distinctive and interesting.” reads a blog post published by nao_sec.
At the time of the discovery, the exploit kit was delivering and installing the SmokeLoader downloader that was used to download the CoalaBot and another unidentified malware.
“The exe file executed by shellcode is “Nullsoft Installer self-extracting archive”. This will run SmokeLoader and two exe files will be downloaded” continues the analysis.
The Fallout exploit kit was also observed by FireEye in a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.
The security firm observed the exploit kit installing the GandCrab Ransomware on Windows machines, it was also used to redirect macOS users to pages promoting fake antivirus software or fake Adobe Flash Players.
The exploit kit will first attempt to exploit VBScript, then it will try to exploit the Flash Player flaw.
Once the exploit code is executed, it will download and execute a Trojan onto Windows systems. The malicious code then enumerates all running processes, creates their crc32 checksums, and compare them against a list of blacklisted checksum associated with virtual machines and analysis tools such as:
vmwareuser.exe vmwareservice.exe vboxservice.exe vboxtray.exe Sandboxiedcomlaunch.exe procmon.exe regmon.exe filemon.exe wireshark.exe netmon.exe vmtoolsd.exe
If none of the above processes is running on the infected machine the Trojan will download and execute a DLL that installs the GandCrab ransomware.