Attackers are leveraging a newly discovered exploit kit in an international malvertising campaign that’s been observed delivering GandCrab ransomware and the SmokeLoader malicious downloader, as well as engaging victims in social engineering scams.
Nicknamed Fallout, the kit exploits a remote code execution vulnerability in outdated versions of the Windows VBScript engine and an arbitrary code execution bug in unpatched Adobe Flash Player software in order to distribute malware to its victims.
In a blog post published yesterday, FireEye reports that Fallout EK has been delivering GandCrab to victims in the Middle East, while also targeting the Asia Pacific region and Southern Europe with additional malware.
Japanese researchers from nao_sec previously reported the threat on 1 September, after observing Fallout distribute SmokeLoader to Japanese victims, along with two apparent bots, on 29 August. This incident came just days after Fallout’s first known appearance on 24 August via the domain finalcountdown[.]gq, FireEye explains.
According to researchers, Fallout exhibits similar behavior to the commonly used Nuclear Pack Exploit Kit (aka Nuclear EK), and also has a similar URL pattern.
Online users are infected upon visiting web pages compromised with malicious advertisements. When this occurs, Fallout decides whether or not to attack, and what type of attack to implement, by first fingerprinting the user browser profile to better understand the victim.
Targets of interest are rerouted from legit ad pages to the Fallout EK landing page via multiple 302 redirects, FireEye reports. "URIs for the landing page keep changing and are too generic for a pattern, making it harder for IDS solutions that rely on detections based on particular patterns," the company blog post states.
Other victims are instead routed to social engineering campaigns that try to trick them into downloading malicious files or clicking links. For instance, notes FireEye, US-based users working on a fully patched macOS system may see fake virus warnings or phony Flash Player download prompts. "The malvertisement redirect involved in the campaign has been abused heavily in many social engineering campaigns in North America," the blog post remarks.
It shares behaviour and a URL pattern.