Threat Management, Malware, Network Security, Ransomware

New Fallout exploit kit peppers malvertising victims with GandCrab, SmokeLoader malware

Attackers are leveraging a newly discovered exploit kit in an international malvertising campaign that's been observed delivering GandCrab ransomware and the SmokeLoader malicious downloader, as well as engaging victims in social engineering scams.

Nicknamed Fallout, the kit exploits a remote code execution vulnerability in outdated versions of the Windows VBScript engine and an arbitrary code execution bug in unpatched Adobe Flash Player software in order to distribute malware to its victims.

In a blog post published yesterday, FireEye reports that Fallout EK has been delivering GandCrab to victims in the Middle East, while also targeting the Asia Pacific region and Southern Europe with additional malware.

Japanese researchers from nao_sec previously reported the threat on Sept. 1, after observing Fallout distribute SmokeLoader to Japanese victims, along with two apparent bots, on Aug. 29. This incident came just days after Fallout's first known appearance on Aug. 24 via the domain finalcountdown[.]gq, FireEye explains.

According to researchers, Fallout exhibits similar behavior to the commonly used Nuclear Pack Exploit Kit (aka Nuclear EK), and also has a similar URL pattern.

Online users are infected upon visiting web pages compromised with malicious advertisements. When this occurs, Fallout decides whether or not to attack, and what type of attack to implement, by first fingerprinting the user browser profile to better understand the victim.

Targets of interest are rerouted from legit ad pages to the Fallout EK landing page via multiple 302 redirects, FireEye reports. "URIs for the landing page keep changing and are too generic for a pattern, making it harder for IDS solutions that rely on detections based on particular patterns," the company blog post states.

Other victims are instead routed to social engineering campaigns that try to trick them into downloading malicious files or clicking links. For instance, notes FireEye, U.S.-based users working on a fully patched macOS system may see fake virus warnings or phony Flash Player download prompts. "The malvertisement redirect involved in the campaign has been abused heavily in many social engineering campaigns in North America," the blog post remarks.

It shares behavior and a URL patterns

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.