New Fallout exploit kit delivers SmokeLoader and GandCrab in malvertising campaign

• The cybercriminals behind the new malvertising campaign have been leveraging Fallout to target victims in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.
• The EK is capable of fingerprinting the user's browser profile and delivering a malicious tool only if the user profile matches that of a target of interest.

A new exploit kit (EK) called Fallout has recently been discovered by security experts. The EK is being used by cybercriminals behind a new malvertising campaign and can drop either the SmokeLoader malware or the GandCrab ransomware on targets.

The cybercriminals behind the new malvertising campaign have been leveraging Fallout to target victims in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.

Modus operandi

The malvertising campaign was first discovered on 24 August by Japanese researchers. It was discovered that Fallout is distributing SmokeLoader in Japan and GandCrab in the Middle East. The EK is capable of fingerprinting the user browser profile and delivering a malicious tool only if the user profile matches that of a target of interest.

“Depending on browser/OS profiles and the location of the user, the malvertisement either delivers the exploit kit or tries to reroute the user to other social engineering campaigns. For example, in the U.S. on a fully patched macOS system, malvertising redirects users to social engineering attempts,” security researchers at FireEye, who tracked the malvertising campaign, wrote in a blog.

Fallout

The EK is installed on hacked websites and attempts to exploit an Adobe Flash Player vulnerability and a Windows VBScript flaw on the targeted systems. In Japan, where Fallout has been distributing the SmokeLoader downloader, the cybercriminals behind the campaign have been using SmokeLoader to drop the CoalaBot malware and another unidentified malware, Bleeping Computer reported.

Once the targeted PC is successfully compromised, it will cause Windows to install a trojan, which is designed to check for certain process, such as antivirus programs. If the processess checked by the trojan are found on the targeted system, then the malware will enter into an infinite loop and not conduct any malicious activities.

“In recent years, arrests and disruptions of underground operations have led to exploit kit activity declining heavily. Still, exploit kits pose a significant threat to users who are not running fully patched systems,” FireEye researchers said. “Nowadays we see more exploit kit activity in the Asia Pacific region, where users tend to have more vulnerable software. Meanwhile, in North America, the focus tends to be on more straightforward social engineering campaigns.”