New security reports have landed indicating that the infamous GandCrab ransomware is currently being distributed by a new exploit kit known as Fallout. The Fallout EK is pushing the ransomware alongside downloader Trojans and potentially unwanted programs. The EK was unearthed by security researcher nao_sec at the end of August 2018.
Fallout Exploit Kit Malicious Operations
It appears that the Fallout EK is installed on compromised websites and is attempting to exploit vulnerabilities present in the potential victim’s system. So far, the EK is leveraging two known exploits – one for Adobe Flash Player (CVE-2018-4878) and one for the Windows VBScript engine (CVE-2018-8174).
CVE-2018-4878 Technical Details
As per MITRE’s advisory, the vulnerability is “a use-after-free vulnerability” which was discovered in Adobe Flash Player prior to version 22.214.171.124. The vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution. CVE-2018-4878 was exploited in the wild in January and February 2018.
CVE-2018-8174 Technical Details
The vulnerability is of the remote code execution kind, existing in the way that the VBScript engine handles objects in memory, such as “Windows VBScript Engine Remote Code Execution Vulnerability.” The flaw affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
Upon its discovery, the EK was caught downloading and installing the so-caled SmokeLoader, a malware instance known for downloading more malware on the compromised host. At that particular moment CoalaBot was being downloaded alongside other undisclosed malware pieces.
According to the researcher, the exe file executed by shellcode is “Nullsoft Installer self-extracting archive””, which will then run the SmokeLoader and will download two additional exe files.
FireEye researchers were previously able to determine that the very same exploit kit has been deployed by cybercriminals to install the GandCrab ransomware on both Windows and macOS systems. The EK is also known for redirecting victims to pages promoting fake anti-virus programs and fake Adobe Flash players.
It should be noted that researchers say that if the Fallout EK fails to exploit the CVE-2018-8174 VBScript vulnerability, and if scripting is disabled on the targeted host, it will then try to exploit Adobe Flash Player vulnerability, CVE-2018-4878.
Upon successful exploit, the Windows OS in particular would download and install a Trojan which will then check for the following processes:
In case those processes are found, the Trojan would enter an infinite loop without performing further malicious activities, the researchers noted.
If those processes are not found, the Trojan will download and execute a DLL that installs the GandCrab ransomware, which will proceed in its typical manner of infection.