Fallout Exploit Kit leads to PUPs or infiltrates GandCrab ransomware

Malicious Fallout Exploit Kit aims to utilize Adobe and VBScript vulnerabilities

Fallout Exploit KitResearchers discovered Fallout Exploit Kit which is either infiltrating the system with GandCrab ransomware or redirecting to PUPs' distribution sources.

Cybersecurity researcher at nao_sec had discovered the malicious Fallout Exploit Kit at the end of August[1]. This exploit kit was designed to exploit Adobe Flash Player and Windows VBScript vulnerabilities by infiltrating the targeted computers through hacked websites[2].

On the afternoon of August 29th, we met the Fallout Exploit Kit when we are crawling ad-networks using Japanese IP address. Accessing their landing page will read the exploit code of CVE-2018-8174 consisting of large span tag and the exploit code of CVE-2018-4878 consisting of object tag.

IT experts classify the vulnerabilities under CVE-2018-4878 and CVE-2018-8174 codes. At first, Fallout Exploit Kit was programmed to download and install a SmokeLoader — malicious software used to infiltrate the system with malware. Hackers used this exploit kit to distribute unknown malware and CoalaBot.

Now Fallout Exploit Kit drops GandCrab ransomware or redirects to PUPs

Recently, researchers at FireEye have discovered that now Fallout Exploit Kit is assigned to distribute GandCrab ransomware or redirect to PUPs' installation websites which are promoting Mac Mechanic or fake Adobe updates[3]. The file-encrypting virus is only installed on Windows while MacOS users are served with PUPs.

Just like the previous version of Fallout Exploit Kit, it tries to exploit VBScript at first. In case the scripting is disabled on the targeted computer, the exploit kit will try to take advantage of Adobe Flash Player vulnerability. If the exploitation succeeded, it drops a Trojan horse on the system.

The Trojan horse scans the device for the following processes and if found, stops its malicious activity immediately[4]:

  • vmtoolsd.exe
  • vboxservice.exe
  • vboxtray.exe
  • vmwareuser.exe
  • vmwareservice.exe
  • wireshark.exe
  • filemon.exe
  • netmon.exe
  • procmon.exe
  • regmon.exe
  • Sandboxiedcomlaunch.exe

If none of the listed processes are running on the infected device, the Trojan horse drops the payload of GandCrab ransomware[5]. This infamous crypto-malware would start data encryption and append .KRAB extension to the compromised files. Victims are informed about the attack in KRAB-DECRYPT.txt ransom note.

Tips to protect your system from social engineering attacks

The first thing to do is to update your operating system and other applications right away. All out-dated software is a risk and should not be kept on your computer. Furthermore, make sure that you are using a professional antivirus with real-time protection.

Finally, security experts advise you to stay away from suspicious websites which are prompting to install unverified applications. Download apps only from official pages and use a direct link is possible. Malvertising is a real threat and users should be exceptionally vigilant.

About the author
Alice Woods
Alice Woods - Likes to teach users about virus prevention

Alice Woods is the News Editor at 2-spyware. She has been sharing her knowledge and research data with 2spyware readers since 2014.

Contact Alice Woods
About the company Esolutions