Security researchers uncovered a new exploit kit, which they’ve named Fallout, delivering downloader trojans, potentially unwanted applications (PUAs), and notably the GandCrab ransomware. Here’s what you need to know about these threats and what you can do to defend against them:
Fallout derived its name from its routines — code generation, HTML use, and URL pattern — that were similar to Nuclear, a previously active exploit kit. Fallout exploits two vulnerabilities embedded in its landing pages to deliver its payloads:
After it exploits the vulnerabilities, Fallout generates a shellcode that retrieves an encrypted payload that it decrypts and executes. In some instances, it installs a trojan to check for the presence of certain security and virtualization processes. If it finds any in the system, no other malicious routines are performed.
[From TrendLabs Security Intelligence: A closer look at recent exploit kit activities]
The shellcode runs an executable file named “Nullsoft Installer self-extracting archive” (although it’s not clear or specified if this file is related to Nullsoft Scriptable Install System, an installer tool). This, in turn, will run the SmokeLoader trojan — a known accomplice of ransomware and information-stealing malware — along with two other executables.
Other security researchers also saw Fallout delivering the GandCrab ransomware on affected systems running Windows operating systems. If the system is running macOS, it diverts victims to web pages advertising fake antivirus (AV) software and Adobe Flash Player.
Fallout’s activities were observed in Japan and South Korea as well as Middle Eastern, South European, and other Asian countries.
[BEST PRACTICES: Defending against ransomware]
While exploit kit-related activities may no longer be as dynamic as it was, they can still expose users and businesses to various threats. Here are some best practices:
A proactive, multilayered approach to security is key against threats that exploit vulnerabilities — from the gateway, endpoints, networks, and servers. Trend Micro™ OfficeScan™ with XGen™ endpoint security has Vulnerability Protection that shields endpoints from identified and unknown vulnerability exploits even before patches are even deployed. Trend Micro’s endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security protect end users and businesses from these threats by detecting and blocking malicious files and all related malicious URLs.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.