A new exploit kit called Fallout is being used to distribute the GandCrab ransomware, malware downloading Trojans, and other potentially unwanted programs (PUPs). 

First discovered by security researcher nao_sec at the end of August 2018, this kit is installed on hacked sites and will attempt to exploit vulnerabilities on a visitor's computer. The exploited vulnerabilities are for Adobe Flash Player (CVE-2018-4878) and the Windows VBScript engine (CVE-2018-8174).

When Nao_sec discovered the exploit kit it was downloading and installing SmokeLoader, which is a malware infection that downloads other malware. At that time it was downloading and installing CoalaBot and another unidentified malware.

"The exe file executed by shellcode is "Nullsoft Installer self-extracting archive"", stated nao_sec in his blog post about the Fallout Exploit Kit. "This will run SmokeLoader and two exe files will be downloaded."

In a report released today by FireEye, the Fallout Exploit Kit has been observed installing the GandCrab Ransomware on Windows machines and for macOS users will redirect visitors to pages promoting fake antivirus software or fake Adobe Flash Players.

Fake Antivirus software promoted to Mac Users
Fake Antivirus software promoted to Mac Users (Source: FireEye)

Like previously discovered by nao_sec, FireEye states that the kit will first try to exploit VBScript, and if scripting is disabled, will then attempt to exploit the Flash Player vulnerability.

Noscript Tag with Flash Player Exploit
Noscript Tag with Flash Player Exploit (Source: FireEye)

If the computer was successfully exploited, it will cause Windows to download and install a Trojan onto the computer. This Trojan will check for the following processes, and if found, will cause the Trojan to enter an infinite loop and not perform any further malicious activities.

vmwareuser.exe
vmwareservice.exe
vboxservice.exe
vboxtray.exe
Sandboxiedcomlaunch.exe
procmon.exe
regmon.exe
filemon.exe
wireshark.exe
netmon.exe
vmtoolsd.exe

Otherwise, it will download and execute a DLL that installs the GandCrab ransomware. When GandCrab infects the computer it will append the .KRAB extension to encrypted files and drop a ransom note named KRAB-DECRYPT.txt.

GandCrab Ransomware
GandCrab Ransomware Payment Site

To protect yourself from the Fallout exploit kit, it is important that all users make sure they have installed the latest Windows security updates and that they do not have any outdated programs, such as Flash Player, installed on their computer.

BleepingComputer has tried to contact the GandCrab developers to see how long they have been using the Fallout exploit kit, but they are being kraby (see what I did there?) and have not responded by the time of this publication.

Related Articles:

Windows Task Scheduler Zero Day Exploited by Malware

Exploit Published for Unpatched Flaw in Windows Task Scheduler

USA Is the Top Country for Hosting Malicious Domains According to Report

GandCrab Ransomware Author Bitter After Security Vendor Releases Vaccine App

Windows Systems Vulnerable to FragmentSmack, 90s-Like DoS Bug