Security researchers have discovered a new exploit kit called Fallout targeting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region
Security researchers have discovered a new exploit kit called Fallout targeting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region. The attackers are using Fallout exploit kit to distribute GandCrab ransomware, and other malware downloading trojans and is being served as part of malvertising campaign. The exploit kit was first discovered by a Tokyo based security researcher “nao_sec” on August 2018. The exploit was seen downloading and installing SmokeLoader which is capable of downloading other malware into the device. “At the end of August 2018, we observed a new Exploit Kit. Its behavior (code generation using html) and URL pattern are similar to Nuclear Pack Exploit Kit. Therefore we named it "Fallout Exploit Kit".” The kit exploits vulnerabilities in Adobe Flash Player (CVE-2018-4878) and the Windows VBScript engine (CVE-2018-8174) to infect victim device. According to FireEye the exploit kit was seen distributing GandCrab ransomware in the Middle East. The Fallout exploit was seen installing GandCrab ransomware on Windows system, and Mac users were redirected to fake antivirus and adobe flash player pages. The attackers first try to exploit the VBScript, and if the scripting is disabled, they will try to exploit the flash player vulnerability. Once successfully exploited it will download and install trojan into victim’s device. After installing the trojan will check for the following process:
vmwareuser.exe vmwareservice.exe vboxservice.exe vboxtray.exe Sandboxiedcomlaunch.exe procmon.exe regmon.exe filemon.exe wireshark.exe netmon.exe Vmtoolsd.exeIf any process matches, the malware goes into an infinite loop and prevent any further malicious activities or else a DLL file will be downloaded and installed which will download the GandCrab ransomware. The ransomware encrypts the files with a .KRAB extension and also add a ransom note named KRAB-DECRYPT.txt.
Always follow these basic instructions to protect yourself from any ransomware attack:
- Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline
- Maintain updated Antivirus software for all systems
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.
- Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches.
You may be interested in reading: New GandCrab Ransomware Version 4 Released