In-Depth analysis of new Fallout Exploit Kit

First

Fallout Exploit Kit has been observed since August 2018. It is very popular and used in many attack campaigns. However, around the end of 2018 Fallout was no longer observed. It was a short break, he came back soon.

He came back and contained several changes.

1. HTTPS
  - Using Let's Encrypt
2. Landing Page
  - Changed code to generate code for exploitation
3. CVE-2018-8174
  - Changed shellcode
    - Using PowerShell
    - Bypass AMSI
4. CVE-2018-15982

In this article, I will look into these changes in detail.

HTTPS

Fallout began using HTTPS. This may make analysis and detection a bit more difficult. He uses Let's Encrypt.



Landing Page

JavaScript was not obfuscated in the previous landing page. Custom Base64 for generating exploitation code was easy to read and the table was written as it was.

All such processing is obfuscated in the new landing page. But you don't have to be afraid of it. Its obfuscation is very simple.

If you take out the last JavaScript and decode it, it looks something like this.

It will look like this if you clean it up.

Let's read in turn. The first line extracts necessary data from HTML. Decode this string to generate exploitation code. The second line defines the table of Custom Base64.


The next two functions are Custom Base64. This has not changed since the past.



Next Fallout is creating an embed element. Although src is encoded, it becomes a URL by decoding it. This reads the exploitation SWF of CVE-2018-15982.


Finally Fallout is creating a script element. VBScript text is the decoded version of HTML data read in line 1. This reads the exploitation code of CVE-2018-8174.


CVE-2018-8174

The code is exactly the same as PoC. shellcode has been updated.


Looking at shellcode, it contains encrypted data at the end. Run it on CreateProcessA.


Data is encrypted by RC4.


The key is hard-coded, and when you decode it using it, you get such PowerShell code.


Decoding Base64 and formatting it look like this:

The first line is a technique to Bypass Anti Malware Scan Interface. Matt Graeber tweeted in 2016.

[Ref].Assembly.GetType('https://t.co/Kwfd9odrBv.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
— Matt Graeber (@mattifestation) 2016年5月25日
Next, the C # code is defined. When it shapes it, it looks like this. This will define CreateProcess.


Next is the process of downloading and saving malware. Previously it was encrypted with RC4, but now it is an exe file.


Finally, run the malware by CreateProcess.


CVE-2018-15982

In this update CVE-2018-15982 has been added to Fallout.


However, this is the same as PoC. Shellcode is the original but it is the same algorithm as the one already explained in 8174.



It is slightly different only in the final PowerShell code. Instead of executing malware with CreateProcess like 8174, it is running with Invoke-Expression.


Conclusion

Fallout made an interesting update such as exploiting CVE-2018-15982, downloading and executing malware with PowerShell by bypassing Anti Malware Scan Interface. 15982 has also been exploited in other exploit kits such as Underminer. Please pay attention to them.

Sample Data
- saz
  - 8174
    - a821dda3cba7851bf0baf4bce8da04d78107be846b18bcb6d29dc92d49973ca8
  - 15982
    - 71fcea2737551627e5bd9968903f68b7cb81a75b92fa9d10c767c1b23e6084ac
- swf
  - 15982
    - e82b042f438c173ae90d056a6c52c0a822d0f263bf8abab60503b9c5c6d68a9c

Hello "Fallout Exploit Kit"

First

At the end of August 2018, we observed a new Exploit Kit. Its behavior (code generation using html) and URL pattern are similar to Nuclear Pack Exploit Kit. Therefore we named it "Fallout Exploit Kit". Fallout Exploit Kit is using CVE-2018-4878 and CVE-2018-8174. That code is distinctive and interesting.

Traffic

On the afternoon of August 29th, we met the Fallout Exploit Kit when we are crawling ad-networks using Japanese IP address.


Accessing their landing page will read the exploit code of CVE-2018-8174 consisting of large span tag and the exploit code of CVE-2018-4878 consisting of object tag.

CVE-2018-4878

The swf file read by the object tag uses CVE-2018-4878.


The swf file is very similar to PoC.


CVE-2018-8174

The large span tag is VBScript code encoded with custom Base64, it is decoded with JavaScript and executed by "ExecuteGlobal" of VBScript.




If execution fails, change window.location. The redirect destination loads the landing page again. If it fails, the dummy website will be displayed.



The decoded result is obfuscated PoC of CVE-2018-8174. The basic structure does not change.


Shellcode generation processing which is the core of this exploit code is encoded by custom Base64.


Shellcode

The shell code flow is as follows.
[Download Encoded Payload] -> [Decode Payload] -> [Execute]


stage1:
Shellcode was further encoded by xor 0x43.



In the decoded code, the following URL is hard-coded. In this case, malware download URL is "http[:]//naosecgomosec[.]gq/Elisions-Riboza-Rigwiddy-Heapstead/8275tv9/PMJqV/Begirdle.cfml?2TV5pG=hOqeWMno&OIfd64x=Shallops_Summative_1050_Parvenu".



stage2:
Shellcode used the ror13AddUpperDllnameHash32 algorithm for the API hash.
Here is a list of hashed APIs.
The download payload is encoded. Payload is encoded using xor with hard-coded key. In this case, key is "APyfhCxJ". It can be decoded with the algorithm of the following script.

Malware

The exe file executed by shellcode is "Nullsoft Installer self-extracting archive". This will run SmokeLoader and two exe files will be downloaded.


New.exe
This is a .NET binary obfuscated by Eazfuscator .NET. We read this, but we could not find the family name. Probably it is Bot. This program contained strings encrypted by RijndaelManaged.


Searching these strings, we found VK_Intel's tweet. It probably is related.

Calls http://karnevallizdageil[.com/exodus/gate.php -> not sure what this variant is.
— Vitali Kremez (@VK_Intel) 2018年6月25日

Loader.exe

It uses vbs and ps1 to create a file called "vstools.exe" and run it.


"vstools.exe" is obfuscated by ".NET Reactor". When decoding it, you can see that it is CoalaBot.


IOC

Fallout Exploit Kit



Nullsoft Installer self-extracting archive



SmokeLoader



Bot (New.exe)



CoalaBot