Fallout is an exploit kit (EK) first identified at the end of August 2018. It was first seen as a part of a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and others in the Asia Pacific. Fallout was observed exploiting vulnerabilities CVE-2018-4878 and CVE-2018-8174 and distributing the GandCrab ransomware to users in the Middle East. The EK fingerprints the user's browser profile and delivers malicious content if the user is deemed a target of interest. The user is redirected from a legitimate advertising page to the EK landing page. Depending on the browser and operating system, the malvertisement either delivers Fallout or attempts to reroute the user to other social engineering campaigns that try to convince users to download malicious software.

Technical Details and Reporting

  • Nao_sec provides technical details, including IOCs, here.

  • September 2018: Fallout Exploit Kit Used in Malvertising Campaign to Deliver GandCrab Ransomware. (FireEye)

  • September 2018: Fallout Exploit Kit Pushing the SAVEfiles Ransomware (Bleeping Computer)

  • October 2018: Fallout Exploit Kit Now Installing the Kraken Cryptor Ransomware (Bleeping Computer)

  • November 2018: HookAds Malvertising Installing Malware via the Fallout Exploit Kit (Bleeping Computer)

  • November 2018: New Azorult variants were being used as primary payloads in a new ongoing campaign using the Fallout Exploit Kit. (Palo Alto Networks)

  • January 2019: After a short hiatus, Fallout EK picked up activity, distributing the GandCrab ransomware and boasting new features, such as the integration of the most recent Adobe Flash player exploit. (Malwarebytes)

  • June 2019: ChaCha Ransomware, a variant of Maze Ransomware, has been spotted being distributed by the Fallout exploit kit. (BleepingComputer)