A new exploit kit called Fallout is being used to distribute the GandCrab ransomware, malware downloading Trojans, and other potentially unwanted programs (PUPs). 

First discovered by security researcher nao_sec at the end of August 2018, this kit is installed on hacked sites and will attempt to exploit vulnerabilities on a visitor’s computer. The exploited vulnerabilities are for Adobe Flash Player (CVE-2018-4878) and the Windows VBScript engine (CVE-2018-8174).

When Nao_sec discovered the exploit kit it was downloading and installing SmokeLoader, which is a malware infection that downloads other malware. At that time it was downloading and installing CoalaBot and another unidentified malware.

“The exe file executed by shellcode is “Nullsoft Installer self-extracting archive””, stated nao_sec in his blog post about the Fallout Exploit Kit. “This will run SmokeLoader and two exe files will be downloaded.”

In a report released today by FireEye, the Fallout Exploit Kit has been observed installing the GandCrab Ransomware on Windows machines and for macOS users will redirect visitors to pages promoting fake antivirus software or fake Adobe Flash Players.

Fake Antivirus software promoted to Mac Users
Fake Antivirus software promoted to Mac Users (Source: FireEye)

Like previously discovered by nao_sec, FireEye states that the kit will first try to exploit VBScript, and if scripting is disabled, will then attempt to exploit the Flash Player vulnerability.

Noscript Tag with Flash Player Exploit
Noscript Tag with Flash Player Exploit (Source: FireEye)

If the computer was successfully exploited, it will cause Windows to download and install a Trojan onto the computer. This Trojan…