Fallout EK Spreads GandCrab, Leverages CVE-2018-4878, CVE-2018-8174

MIcrosoft Office CVE-2017-0199 Exploit

New security reports have landed indicating that the infamous GandCrab ransomware is currently being distributed by a new exploit kit known as Fallout. The Fallout EK is pushing the ransomware alongside downloader Trojans and potentially unwanted programs. The EK was unearthed by security researcher nao_sec at the end of August 2018.

Fallout Exploit Kit Malicious Operations

It appears that the Fallout EK is installed on compromised websites and is attempting to exploit vulnerabilities present in the potential victim’s system. So far, the EK is leveraging two known exploits – one for Adobe Flash Player (CVE-2018-4878) and one for the Windows VBScript engine (CVE-2018-8174).

CVE-2018-4878 Technical Details

As per MITRE’s advisory, the vulnerability is “a use-after-free vulnerability” which was discovered in Adobe Flash Player prior to version 28.0.0.161. The vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution. CVE-2018-4878 was exploited in the wild in January and February 2018.

CVE-2018-8174 Technical Details

The vulnerability is of the remote code execution kind, existing in the way that the VBScript engine handles objects in memory, such as “Windows VBScript Engine Remote Code Execution Vulnerability.” The flaw affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

Upon its discovery, the EK was caught downloading and installing the so-caled SmokeLoader, a malware instance known for downloading more malware on the compromised host. At that particular moment CoalaBot was being downloaded alongside other undisclosed malware pieces.

According to the researcher, the exe file executed by shellcode is “Nullsoft Installer self-extracting archive””, which will then run the SmokeLoader (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | SensorsTechForum.com authored by Milena Dimitrova. Read the original post at: https://sensorstechforum.com/fallout-ek-gandcrab-cve-2018-4878-cve-2018-8174/