A new version of the Fallout exploit kit (EK) has emerged, featuring new exploits and fresh payloads, including the GandCrab ransomware. The development shows that EKs have a lot of life yet left in them, researchers say.
The Fallout EK generally finds its victims by way of malvertising campaigns, especially those that take advantage of traffic to adult websites, according to an analysis from Jérôme Segura. It’s been relatively quite so far this year, but the researcher found that since Tuesday, the Fallout EK activity has been picking up the pace on activity.
It would appear that its operators took that post-holiday sabbatical to retool. The revised Fallout EK sports several notable new features, such as HTTPS support, a new landing page format, the integration of Powershell to run its payloads, and, most notably, the integration of an exploit for the most recent Flash Player vulnerability, CVE-2018-15982.
The vulnerability, which Adobe patched on Dec. 5, is a use-after-free flaw enabling arbitrary code execution in Flash. Researchers with Gigamon Applied Threat Research said that prior to the patch, it was being exploited via a Microsoft Office document dubbed “22.docx.”
“The vulnerability allows for a maliciously crafted Flash object to execute code on a victim’s computer, which enables an attacker to gain command line access to the system,” researchers with Gigamon said at the time. They added, “Although the death of Flash has been widely reported thanks to industry efforts to deprecate and remove Flash from web browsers, vectors such as Microsoft Office remain able to load and execute Flash content.”
Another notable aspect of the new and improved Fallout EK is the fact that it’s now delivering payloads via Powershell rather than using iexplore.exe.
“The Base64 encoded Powershell command calls out the payload URL and loads it in its own way,” explained Segura, in a posting on Wednesday. “This technique is most likely an attempt at evasion, as traditionally we’d expect the Internet Explorer process to drop the payload.”
The resurgence of the Fallout EK (and the fact that the RIG EK saw increased activity in the first half of January, according to Malwarebytes) shows that this threat arena is alive and well, despite the fact that their traditional attack vectors are showing signs of being phased out.
“EK activity slowed down in late 2016 and remained really stagnated in 2017, especially if we consider the lack of developments in this space,” Segura told Threatpost. “However, 2018 brought up newer exploits in particular for Internet Explorer and the Flash Player. There is no doubt that this gave exploit kits an extension on their lifespan and this is why we see different actors still leveraging this infection vector.”
He added that Fallout’s revamping also tells us is that exploit kit developers are still monitoring the scene for new exploits and techniques. Segura said: “Even though the market share for IE and Flash continues to drop, there are many countries still running older systems where the default browser is Internet Explorer. Therefore, threat actors will take advantage.”
Also notable is the fact that Fallout is ahead of the game compared to older EKs like RIG — which may spur increased EK activity going forward.
“If we compare the two exploit kits simply based on their features, Fallout is definitely superior,” Segura told Threatpost. “For malware distributors, using a more powerful toolkit will result in a greater number of successful infections. This, in turn, has a direct impact on the popularity of an exploit kit in distribution campaigns.”
He added, “Fallout EK is a relatively new exploit kit but within its short tenure has constantly made improvements. This matters because it can lead by example and drive innovation with its competitors.”