Cybercriminals made another strategic attempt to distribute GrandCrab ransomware, fake anti-virus software, malware downloading Trojans and other PUPs which abbreviates for ‘Potentially Unwanted Programs.’ The exploit kit that is being used to deliver the ransomware is called ‘Fallout.’
It was the end of August’18 that saw the discovery of the kit which is installed on hacked sites and is programmed to exploit vulnerabilities on a visitor’s system. These vulnerabilities are reported to be for two programs – Windows VBScript engine (CVE-2018-8174) and Adobe Flash player (CVE-2018-4878).
Upon its discovery. which was made by nao sec (Security Researcher), the kit was found downloading and installing a malware infection, ‘SmokeLoader’ which further downloads other malware. As per the security researcher, the kit when found was downloading and installing CoalaBot and an unidentified malware.
In a blog post exclusively written to shed a light on the ‘Fallout Exploit Kit', nao sec stated – “The exe file executed by shellcode is "Nullsoft Installer self-extracting archive.” He added, "This will run SmokeLoader and two exe files will be downloaded."
As reported by FireEye, which prides itself on embracing world-class frontline threat expertise – Fallout, the exploit kit has been noticed installing GrandCrab Ransomware on Windows and MacOS users will be redirected to pages that promote fake antivirus software or fake Adobe Flash Players.
FireEye further educates us on the procedural execution –primarily, the kit will try and exploit VBScript and then it will proceed towards the Flash Player vulnerability which will be contingent on the status of scripting– whether it’s disabled or not. Marching forward, the kit will cause Windows to download and install a Trojan into the system once it has been successfully exploited.
Upon its activation, the Trojan will scan for the following processes, and if found, it causes the Trojan to step in an infinite loop which consequently halts any further malicious activities.
If not, then it downloads and executes a DLL which leads to the installation of GrandCrab ransomware. While infecting the system, GrandCrab appends the.KRAB extension to encrypted files and drops a ransom note titled KRAB-DECRYPT.txt.
Calming the bewildered spirit of inquiry of the Fallout exploit kit victims or to-be-victims, Ehackingnews advises all the users against stacking outdated programs onto their systems, for example, Flash Player. It is essential to ensure an installation of the latest Windows security updates in order to keep yourself guarded.
