This malware spreading tool is back with some new tricks

The Fallout exploit kit is back delivering GandCrab ransomware after a brief hiatus.
Written by Danny Palmer, Senior Writer

An exploit kit used to distribute malware to unsuspecting victims has returned following a brief hiatus -- and it's been upgraded with some new tricks, including the ability to exploit an only recently disclosed zero-day vulnerability.

The Fallout exploit kit provides cyber criminals with a selection of Internet Explorer and Flash Player exploits that they can take advantage of to distribute malware. Fallout is often delivered via malvertising, which targets high-traffic torrent and streaming sites and redirects users towards malicious payloads.

After appearing to briefly halt activity earlier this month, researchers at Malwarebytes say Fallout resumed its operations as of January 15 and it's now once again delivering GandCrab -- a family of ransomware strongly associated with the exploit kit. Fallout was also recently seen distributing the Vidar information-stealer, before it dropped off the radar.

It seems as if Fallout was taken out of service so those behind it could update it and the exploit kit has returned with new features, including the ability to take advantage of a critical vulnerability in Adobe Flash Player.

The CVE-2018-15982 zero-day came to light last month and it allows attackers to execute code and privileges on targeted systems. Adobe has released a patch to fix the vulnerability on Windows, macOS, Linux, and Chrome OS.

See: What is malware? Everything you need to know about viruses, trojans and malicious software

However, it's highly likely that there are vast numbers of systems that haven't seen this patch applied, so still remain vulnerable to the zero-day and attacks using the Fallout exploit kit.

It's thought that Fallout is only the second exploit kit to add CVE-2018-15982 to its arsenal -- a cryptocurrency miner was first to add it, just days after the vulnerability was exposed.

"What this new development tells us is that exploit kit developers are still monitoring the scene for new exploits and techniques. In 2018, several zero-days for Internet Explorer and Flash Player were found and turned into easily adaptable proof of concepts," said Jérôme Segura, security researcher and head of investigations at Malwarebytes.

"Even though the market share for IE and Flash continues to drop, there are many countries still running older systems where the default browser is Internet Explorer. Therefore, threat actors will take advantage," he added.

The new version of Fallout has also HTTPS support, a new format for landing pages and it's also switched to delivering its payload via PowerShell, rather than using iexplore.exe as it did before. Researchers attribute the latter to an attempt to improve the evasion capabilities of malicious activities.

Malwarebytes has shared the Indicators of Compromise for the latest version of Fallout in their analysis of the exploit kit.


Editorial standards