A new exploit kit called Fallout is being used to distribute the GandCrab ransomware, malware downloading Trojans, and other potentially unwanted programs (PUPs).
First discovered by security researcher nao_sec at the end of August 2018, this kit is installed on hacked sites and will attempt to exploit vulnerabilities on a visitor's computer. The exploited vulnerabilities are for Adobe Flash Player (CVE-2018-4878) and the Windows VBScript engine (CVE-2018-8174).
When Nao_sec discovered the exploit kit it was downloading and installing SmokeLoader, which is a malware infection that downloads other malware. At that time it was downloading and installing CoalaBot and another unidentified malware.
"The exe file executed by shellcode is "Nullsoft Installer self-extracting archive"", stated nao_sec in his blog post about the Fallout Exploit Kit. "This will run SmokeLoader and two exe files will be downloaded."
In a report released today by FireEye, the Fallout Exploit Kit has been observed installing the GandCrab Ransomware on Windows machines and for macOS users will redirect visitors to pages promoting fake antivirus software or fake Adobe Flash Players.
Like previously discovered by nao_sec, FireEye states that the kit will first try to exploit VBScript, and if scripting is disabled, will then attempt to exploit the Flash Player vulnerability.
If the computer was successfully exploited, it will cause Windows to download and install a Trojan onto the computer. This Trojan will check for the following processes, and if found, will cause the Trojan to enter an infinite loop and not perform any further malicious activities.
vmwareuser.exe vmwareservice.exe vboxservice.exe vboxtray.exe Sandboxiedcomlaunch.exe procmon.exe regmon.exe filemon.exe wireshark.exe netmon.exe vmtoolsd.exe
Otherwise, it will download and execute a DLL that installs the GandCrab ransomware. When GandCrab infects the computer it will append the .KRAB extension to encrypted files and drop a ransom note named KRAB-DECRYPT.txt.
To protect yourself from the Fallout exploit kit, it is important that all users make sure they have installed the latest Windows security updates and that they do not have any outdated programs, such as Flash Player, installed on their computer.
BleepingComputer has tried to contact the GandCrab developers to see how long they have been using the Fallout exploit kit, but they are being kraby (see what I did there?) and have not responded by the time of this publication.