New Exploit Kit Fallout Delivering Gandcrab Ransomware

September 13, 2018

Security researchers uncovered a new exploit kit, which they’ve named Fallout, delivering downloader trojans, potentially unwanted applications (PUAs), and notably the GandCrab ransomware. Here’s what you need to know about these threats and what you can do to defend against them:

[RELATED: GandCrab ransomware being delivered via spam emails]

What is Fallout’s attack chain? 

Fallout derived its name from its routines — code generation, HTML use, and URL pattern — that were similar to Nuclear, a previously active exploit kit. Fallout exploits two vulnerabilities embedded in its landing pages to deliver its payloads:

  • CVE-2018-8174: a remote code execution (RCE) vulnerability in Windows’ VBScript engine patched in May 2018. Other exploit kits have targeted this vulnerability to deliver cryptocurrency-mining malware. Fallout exploits this security flaw first and uses another vulnerability if VBScript is disabled.
  • CVE-2018-4878: A use-after-free vulnerability in Adobe Flash patched last February. This is also exploited by other exploit kits such as Underminer and Rig. This security flaw serves as Fallout’s fail-safe in case it cannot successfully exploit a vulnerable VBScript.

After it exploits the vulnerabilities, Fallout generates a shellcode that retrieves an encrypted payload that it decrypts and executes. In some instances, it installs a trojan to check for the presence of certain security and virtualization processes. If it finds any in the system, no other malicious routines are performed.

[From TrendLabs Security Intelligence: A closer look at recent exploit kit activities]

What are Fallout’s payloads and impact? 

The shellcode runs an executable file named “Nullsoft Installer self-extracting archive” (although it’s not clear or specified if this file is related to Nullsoft Scriptable Install System, an installer tool). This, in turn, will run the SmokeLoader trojan — a known accomplice of ransomware and information-stealing malware — along with two other executables.

Other security researchers also saw Fallout delivering the GandCrab ransomware on affected systems running Windows operating systems. If the system is running macOS, it diverts victims to web pages advertising fake antivirus (AV) software and Adobe Flash Player.

Fallout’s activities were observed in Japan and South Korea as well as Middle Eastern, South European, and other Asian countries.

[BEST PRACTICES: Defending against ransomware]

What can be done to defend against exploit kits like Fallout?

While exploit kit-related activities may no longer be as dynamic as it was, they can still expose users and businesses to various threats. Here are some best practices:

  • Keep the systems patched: Vulnerabilities are the bread and butter of exploit kits like Fallout. The window of exposure can risk unpatched systems, along with sensitive data stored in them, to theft and illicit access, modification, and theft. Businesses can also consider employing virtual patching to legacy systems and networks.
  • Enforce the principle of least privilege: Exploit kits are opportunistic. They can also exploit vulnerabilities in third-party add-ons, plugins, and extensions to gain a foothold into the system. Disable unnecessary and outdated system components to deter attackers from using them as entry points.
  • Secure the browsers: Exploit kits use malvertisements to spread malware. Updating web browser versions can help remove exploitable flaws. Businesses should also implement security mechanisms such as URL categorization, which helps filter malicious websites.
  • Monitor the online premises: Anomalous endpoint and network traffic can indicate malware infection and intrusion attempts. Enabling firewalls, deploying intrusion detection and prevention systems, and employing whitelisting and behavior monitoring help raise red flags that IT or system administrators can keep an eye on.

Trend Micro Solutions

A proactive, multilayered approach to security is key against threats that exploit vulnerabilities — from the gateway, endpoints, networks, and servers. Trend Micro™ OfficeScan™ with XGen™ endpoint security has Vulnerability Protection that shields endpoints from identified and unknown vulnerability exploits even before patches are even deployed. Trend Micro’s endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security protect end users and businesses from these threats by detecting and blocking malicious files and all related malicious URLs.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.