Fallout Exploit Kit: A deep dive into the exploit kit’s campaigns distributing various malware strains

• Fallout exploit kit was first spotted in a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and more.
• Later, the exploit kit was spotted distributing GandCrab ransomware, SAVEfiles ransomware, Kraken Cryptor ransomware, DanaBot trojan, Nocturnal malware, GlobeImposter ransomware, AZORult variants, Vidar malware, and more.

Fallout exploit kit was first discovered in the late August 2018 in a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and more. The exploit kit was observed distributing GandCrab ransomware to users in the Middle East. The exploit kit was further spotted distributing SAVEfiles ransomware, Kraken Cryptor ransomware, DanaBot trojan, Nocturnal malware, GlobeImposter ransomware, AZORult variants, Vidar malware, and more.

GandCrab ransomware

Researchers from FireEye noted Fallout exploit kit distributing GandCrab Ransomware. The exploit kit fingerprints the user browser profile and delivers malicious content if the user profile matches a target of interest. The user is then redirected from a legitimate advertising page to the exploit kit landing page URL.

The malvertisement either delivers Fallout exploit kit or attempts to redirect the user to other social engineering campaigns based on the browser and operating system, from where it tricks users to download malicious software.

Researchers noted that this campaign has triggered alerts from customers in government, telecommunication, and healthcare sectors. Researchers also observed Fallout exploiting vulnerabilities CVE-2018-4878 and CVE-2018-8174 in a malvertising campaign distributing GandCrab ransomware.

SAVEfiles ransomware

In September 2018, Fallout exploit kit was spotted distributing SAVEfiles ransomware in a malvertising campaign affecting users in Japan, France, and more. The advertisement redirects the user several times before landing on the site hosting Fallout exploit kit. The exploit kit will then automatically download and install SAVEfiles ransomware onto victim’s PCs. The victims’ files are then encrypted with the .SAVEfiles extension.

While encrypting, the ransomware leaves a ransom note in each folder ‘!!!SAVE__FILES__INFO!!!.txt’. The ransom note asks victims to contact the attackers at BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage[.]ch or savefiles@india[.]com for payment instructions.

Kraken Cryptor ransomware

In October 2018, Fallout started pushing Kraken Cryptor ransomware version 1.5 and 1.6. As usual, users were redirected several times before landing on the site hosting Fallout exploit kit. The exploit kit then exploits the Windows VBScript vulnerability CVE-2018-8174 to install Kraken Cryptor ransomware.

Once the ransomware is installed, victims files are then encrypted and renamed to a random name with a random extension. While encrypting, the ransomware leaves a ransom note named ‘How to Decrypt Files-[extension].html’. This ransom note contains instructions on how to pay the ransom and contact the affiliate at onionhelp@memeware[.]net or BM-2cWdhn4f5UyMvruDBGs5bK77NsCFALMJkR@bitmessage[.]ch.

DanaBot, Nocturnal, and GlobeImposter

In November 2018, Fallout exploit kit was found exploiting known vulnerabilities in Windows to distribute various malware variants such as DanaBot banking trojan, Nocturnal info stealer malware, and GlobeImposter ransomware.

The malvertising campaign carried out by attackers will include JavaScript that redirects users through a serious of decoy sites before landing on the site hosting Fallout. If the redirected user is running Internet Explorer, the exploit kit will attempt to exploit the Windows CVE-2018-8174 VBScript vulnerability to install the malware payload.

AZORult Malware variants

On October 20th, 2018 researchers discovered that Azorult variants were being used as primary payloads in ‘FindMyName’ campaign using the Fallout Exploit Kit. Fallout uses several HTML tags such as span, h3, and p to hide the real exploit code with highly obfuscated tag content.

After decryption, the real VBScript code exploits an IE VBScript vulnerability CVE-2018-8174. Once exploited, Fallout Exploit Kit downloads a ‘.tmp’ file, which is a variant of AZORult.

Vidar Infostealer malware

In January 2019, researchers observed attackers using a combination of Vidar Malware and GandCrab Ransomware to attack victims. Security researchers from Malwarebytes investigated the campaign and detected that several exploit kits such as Fallout and GrandSoft were used to initially install Vidar malware and then a secondary payload containing GandCrab ransomware was used. However, Vidar Infostealer malware was distributed primarily via Fallout exploit kit.