{"id":14347,"date":"2019-01-17T13:10:02","date_gmt":"2019-01-17T21:10:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/01\/17\/news-8099\/"},"modified":"2019-01-17T13:10:02","modified_gmt":"2019-01-17T21:10:02","slug":"news-8099","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/01\/17\/news-8099\/","title":{"rendered":"Improved Fallout EK comes back after short hiatus"},"content":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 17 Jan 2019 19:51:27 +0000<\/strong><\/p>\n<p>After a short hiatus in early January, the Fallout exploit kit is back in business again with some new features for the new year. During its absence, we noticed an increase in RIG campaigns, perhaps to fill that temporary void.<\/p>\n<p>Fallout EK is distributed via malvertising chains (one of them we track under the name <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/exploits\/2016\/11\/the-hookads-malvertising-campaign\/\" target=\"_blank\" rel=\"noopener\">HookAds<\/a>), especially through adult traffic. Since January 15, Fallout EK activity has been picking up pace again to deliver the GandCrab ransomware.<\/p>\n<p>The revised Fallout EK boasts several new features, including integration of the most recent Flash Player exploit.\u00a0Security researcher Kafeine <a href=\"https:\/\/malware.dontneedcoffee.com\/2019\/01\/CVE-2018-15982.html#fallout\" target=\"_blank\" rel=\"noopener\">identified<\/a> that Fallout is now the <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2018\/12\/underminer-exploit-kit-improves-latest-iteration\/\" target=\"_blank\" rel=\"noopener\">second exploit kit<\/a> to add <a href=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/12\/new-flash-player-zero-day-used-russian-facility\/\" target=\"_blank\" rel=\"noopener\">CVE-2018-15982<\/a>.<\/p>\n<h3>Fallout EK 2019 highlights:<\/h3>\n<ul>\n<li>HTTPS support<\/li>\n<li>New landing page format<\/li>\n<li>New Flash exploit (CVE-2018-15982)<\/li>\n<li>Powershell to run payload<\/li>\n<\/ul>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/FalloutEK_2019.png\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"26871\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/01\/improved-fallout-ek-comes-back-after-short-hiatus\/attachment\/falloutek_2019\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/FalloutEK_2019.png\" data-orig-size=\"1302,1294\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"FalloutEK_2019\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/FalloutEK_2019-300x298.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/FalloutEK_2019-600x596.png\" class=\"alignnone wp-image-26871\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/FalloutEK_2019.png\" alt=\"\" width=\"629\" height=\"625\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/FalloutEK_2019.png 1302w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/FalloutEK_2019-150x150.png 150w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/FalloutEK_2019-300x298.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/FalloutEK_2019-600x596.png 600w\" sizes=\"auto, (max-width: 629px) 100vw, 629px\" \/><\/a><\/p>\n<p>One aspect that caught our attention was how Fallout was delivering its payload via Powershell rather than using iexplore.exe. This was also mentioned in the EK developer&#8217;s advert reposted by Kafeine on his site.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/processes.png\" data-rel=\"lightbox-1\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"26873\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/01\/improved-fallout-ek-comes-back-after-short-hiatus\/attachment\/processes-7\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/processes.png\" data-orig-size=\"1070,102\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"processes\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/processes-300x29.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/processes-600x57.png\" class=\"alignnone size-full wp-image-26873\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/processes.png\" alt=\"\" width=\"1070\" height=\"102\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/processes.png 1070w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/processes-300x29.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/processes-600x57.png 600w\" sizes=\"auto, (max-width: 1070px) 100vw, 1070px\" \/><\/a><\/p>\n<p>The Base64 encoded Powershell command calls out the payload URL and loads it in its own way:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/command.png\" data-rel=\"lightbox-2\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"26874\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/01\/improved-fallout-ek-comes-back-after-short-hiatus\/attachment\/command-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/command.png\" data-orig-size=\"757,663\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"command\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/command-300x263.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/command-600x525.png\" class=\"alignnone size-full wp-image-26874\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/command.png\" alt=\"\" width=\"757\" height=\"663\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/command.png 757w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/command-300x263.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/command-600x525.png 600w\" sizes=\"auto, (max-width: 757px) 100vw, 757px\" \/><\/a><\/p>\n<p>This technique is most likely an attempt at evasion, as traditionally we&#8217;d expect the Internet Explorer process to drop the payload.<\/p>\n<p>What this new development tells us is that exploit kit developers are still monitoring the scene for new exploits and techniques. In 2018, several zero-days for Internet Explorer and Flash Player were found and turned into easily adaptable proof of concepts. Even though the market share for IE and Flash continues to drop, there are many countries still running older systems where the default browser is Internet Explorer. Therefore, threat actors will take advantage.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/\" target=\"_blank\" rel=\"noopener\">Malwarebytes<\/a> users are already protected against this updated Fallout EK.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/block_Fallout.png\" data-rel=\"lightbox-3\" title=\"\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"26875\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/01\/improved-fallout-ek-comes-back-after-short-hiatus\/attachment\/block_fallout\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/block_Fallout.png\" data-orig-size=\"914,621\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"block_Fallout\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/block_Fallout-300x204.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/block_Fallout-600x408.png\" class=\"alignnone wp-image-26875\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/block_Fallout.png\" alt=\"\" width=\"584\" height=\"397\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/block_Fallout.png 914w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/block_Fallout-300x204.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/block_Fallout-600x408.png 600w\" sizes=\"auto, (max-width: 584px) 100vw, 584px\" \/><\/a><\/p>\n<h3>Indicators of Compromise<\/h3>\n<pre>185.56.233[.]186,advancedfeed[.]pro,HookAds Campaign    51.15.35[.]154,payformyattention[.]site,Fallout EK<\/pre>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/01\/improved-fallout-ek-comes-back-after-short-hiatus\/\">Improved Fallout EK comes back after short hiatus<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/01\/improved-fallout-ek-comes-back-after-short-hiatus\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 17 Jan 2019 19:51:27 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/01\/improved-fallout-ek-comes-back-after-short-hiatus\/' title='Improved Fallout EK comes back after short hiatus'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/01\/shutterstock_1073925929.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>The Fallout exploit kit is back with some noteworthy improvements.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/exploits-threat-analysis\/\" rel=\"category tag\">Exploits<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/cve-2018-15982\/\" rel=\"tag\">CVE-2018-15982<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ek\/\" rel=\"tag\">EK<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/exploit\/\" rel=\"tag\">exploit<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/exploit-kits\/\" rel=\"tag\">exploit kits<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/fallout\/\" rel=\"tag\">Fallout<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/powershell\/\" rel=\"tag\">powershell<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/01\/improved-fallout-ek-comes-back-after-short-hiatus\/' title='Improved Fallout EK comes back after short hiatus'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/01\/improved-fallout-ek-comes-back-after-short-hiatus\/\">Improved Fallout EK comes back after short hiatus<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[20524,10527,11638,10528,10987,19945,11191,10494],"class_list":["post-14347","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cve-2018-15982","tag-ek","tag-exploit","tag-exploit-kits","tag-exploits","tag-fallout","tag-powershell","tag-threat-analysis"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14347","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=14347"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14347\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=14347"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=14347"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=14347"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}