November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz Threat Advisory – Cisco IOS XE Software Web UI Command Injection Vulnerabilities
October 15, 2019Rewterz Threat Advisory – CVE-2019-8071 – Adobe Download Manager Privilege Escalation Vulnerability
October 16, 2019Rewterz Threat Advisory – Cisco IOS XE Software Web UI Command Injection Vulnerabilities
October 15, 2019Rewterz Threat Advisory – CVE-2019-8071 – Adobe Download Manager Privilege Escalation Vulnerability
October 16, 2019
Severity
Medium
Analysis Summary
Fallout Exploit Kit is usually used to deliver ransomware (GandCrab, Kraken, Maze, Minotaur, Matrix and Stop), Banker Trojans (DanaBot) and information stealers (RaccoonStealer, AZORult, Vidar), and others.
Currently, it’s being used to deliver the Raccoon stealer. Exploit kits are being deployed on vulnerable systems via malicious ads. Because of the complex redirection chain provided by ad services, malicious ads remain an extremely effective attack vector to deliver exploits and, finally, malware. The initial redirection to the Fallout EK is performed via malvertising, using a dedicated ad server that provides malicious redirects. From the malicious ad, the browser is redirected to the exploit kit’s landing page. The page loads more JavaScript, then VBScript and then Flash exploits are delivered to vulnerable browsers.
Finally, an encoded PowerShell script is downloaded and executed, which in turn downloads the malware payload and launches it. It’s a password and crypto stealer. Stolen data, along with machine and OS information is packed into a Log.zip file and exfiltrated.
Impact
- Credential theft
- Theft of auto-fill information and cookies
- Crypto-wallet credential theft
Indicators of Compromise
Domain Name
- yourfirmware[.]biz
- comicsansfont[.]com
- gonzalesnotdie[.]com
- gorgantuaisastar[.]com
Malware Hashes:
MD5
- 97d329f9a8ba40cc6b6dd1bb761cbe5c
- d490bd6184419561350d531c6c771a50
SH256
- 2db1b7d63e7dd9c7c5c949e9d80470419ef977849bf5419785729442e9ea7d44
- 1e33e3aa6404a00978e10ffe9879f68f09c38ddb44533905cc733a7703b771d6
Source IP
- 34[.]77[.]205[.]80
URL
- hxxp[:]//91[.]90[.]192[.]214/JwVDfphxxp[:]//172[.]105[.]36[.]165/kr/url[.]php
Affected Products
- Google Chrome
- Google Chrome Canary
- Vivaldi
- Xpom
- Comodo Dragon
- Amigo
- Orbitum
- Opera
- Bromium
- Nichrome
- Sputnik
- Kometa
- uCoz Uran
- RockMelt
- 7Star
- Epic Privacy Browser
- Elements Browser
- CocCoc
- TorBro
- Shuhba
- CentBrowser
- Torch
- Chedot
- Superbird
- Mozilla Firefox
- Waterfox
- SeaMonkey
- Pale Moon
Remediation
- Block threat indicators at their respective controls.
- Do not visit suspicious websites displayed in random ads found on legitimate websites.
- Keep the mentioned browsers patched and updated to the latest versions.
- Avoid executing any files that are downloaded upon redirection.