Hello "Fallout Exploit Kit"

2018-09-01

First

At the end of August 2018, we observed a new Exploit Kit. Its behavior (code generation using html) and URL pattern are similar to Nuclear Pack Exploit Kit. Therefore we named it "Fallout Exploit Kit". Fallout Exploit Kit is using CVE-2018-4878 and CVE-2018-8174. That code is distinctive and interesting.

Traffic

On the afternoon of August 29th, we met the Fallout Exploit Kit when we are crawling ad-networks using Japanese IP address.

Accessing their landing page will read the exploit code of CVE-2018-8174 consisting of large span tag and the exploit code of CVE-2018-4878 consisting of object tag.

CVE-2018-4878

The swf file read by the object tag uses CVE-2018-4878.

The swf file is very similar to PoC.

CVE-2018-8174

The large span tag is VBScript code encoded with custom Base64, it is decoded with JavaScript and executed by "ExecuteGlobal" of VBScript.

If execution fails, change window.location. The redirect destination loads the landing page again. If it fails, the dummy website will be displayed.

The decoded result is obfuscated PoC of CVE-2018-8174. The basic structure does not change.

Shellcode generation processing which is the core of this exploit code is encoded by custom Base64.

Shellcode

The shell code flow is as follows.
[Download Encoded Payload] -> [Decode Payload] -> [Execute]

stage1:
Shellcode was further encoded by xor 0x43.

In the decoded code, the following URL is hard-coded. In this case, malware download URL is "http[:]//naosecgomosec[.]gq/Elisions-Riboza-Rigwiddy-Heapstead/8275tv9/PMJqV/Begirdle.cfml?2TV5pG=hOqeWMno&OIfd64x=Shallops_Summative_1050_Parvenu".

stage2:
Shellcode used the ror13AddUpperDllnameHash32 algorithm for the API hash.
Here is a list of hashed APIs.
The download payload is encoded. Payload is encoded using xor with hard-coded key. In this case, key is "APyfhCxJ". It can be decoded with the algorithm of the following script.

Malware

The exe file executed by shellcode is "Nullsoft Installer self-extracting archive". This will run SmokeLoader and two exe files will be downloaded.

New.exe
This is a .NET binary obfuscated by Eazfuscator .NET. We read this, but we could not find the family name. Probably it is Bot. This program contained strings encrypted by RijndaelManaged.

Searching these strings, we found VK_Intel's tweet. It probably is related.

Calls http://karnevallizdageil[.com/exodus/gate.php -> not sure what this variant is.
— Vitali Kremez (@VK_Intel) 2018年6月25日

Loader.exe

It uses vbs and ps1 to create a file called "vstools.exe" and run it.

"vstools.exe" is obfuscated by ".NET Reactor". When decoding it, you can see that it is CoalaBot.

IOC

Fallout Exploit Kit

naosecgomosec.gq (185.243.112.198)
c148012f9ce59daea1abce2cfaac9c0732e86b7eb00468222b63436306c39d26

Nullsoft Installer self-extracting archive

60d8c76564e9c6ca8435b8e83be9743cc7793091856d7d624eb5f899d055024a

SmokeLoader

killermansopitu.com (185.177.23.245)
6626c19e3f0d2fa6d2a16dcda9e3907c1af6acb223d58815ff6bb8f538b698f4
6625c5281a46079b5f9b20ded3426d2022a4f796f2325878bdc59d6bb9c7c36c
5b5a961e9f5bc9e8adc9562caa8c6e99be456fa211d9df7df996b2a18e896d74
82.196.2.225
185.170.43.95

Bot (New.exe)

845888758736860a37b969cadcbaa6ed8f7db601c3597ecae477331bf6b81eb4
karnevallizdageil.com (185.239.238.204)
idontlikeitwhenyoudoit.ru
merhabaslm.su
ichockealotkrug.com
wheniseeyourdedows.com
justreggitifyouknowit.ru
himynameisnoah.su
iliketopunchnoah.com

CoalaBot

65f85f643efdcde095b905aabbaa40fbdae89a0209614ada8f43f1d6295f7045
185.170.43.95

Analyzing Shellcode of GrandSoft's CVE-2018-8174

2018-06-23

First

CVE-2018-8174 exploit code published in 2018-05-21.

https://www.exploit-db.com/exploits/44741/

GrandSoft Exploit Kit used to be CVE-2016-0189 before. Now, it's using CVE-2018-8174. It's almost the same as PoC, except that some obfuscation has been added. However shellcode is unique. Previously VBScript (CVE-2016-0189) code generated cryptographic keys and decoded the payload. It was changed to doing in shellcode.

Previously flow is as follows:
Random Number Generation -> Generate key Using Random Number ->
Add the key to the End of URL -> Download Encrypted Malware ->
Decode by the key

new flow is as follows:
  Random key Generation -> Add the key to the End of URL ->
  Download Encrypted Malware -> Decode by the key

*     in shellcode

Traffic

First let's see the recent GrandSoft traffic. The link of saz file is introduced in Kafeine's blog.
https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174.html

Looking at this saz file, it looks like the following.

The flow of traffic is the same. It consists of Landing Page, Exploit and Malware. CVE-2018-8174 is used for exploit, which downloads and executes malware. Malware payload is encrypted. Therefore, the shellcode decrypts the malware using some numerical values of the URL.

CVE-2018-8174

For technical explanation of CVE-2018-8174 please refer to other articles.
https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/

Actually the code used in GrandSoft is like this.

Dead code is included, but it is basically the same as PoC. What is different is PoC with GetShellcode part. GrandSoft's GetShellcode function has been renamed to the c111111 function, and it is such a function.

Shellcode

Shellcode calls API using hash, however this hash differs from well-known one.

Shellcode Hash Algorithm is ror14AddHash32.

pseudocode is as follows:

Shellcode uses GetTickCount function to generate keys.

Decoding algorithm was not changed as of vbs.

pseudocode is as follows:

Conclusion

GrandSoft got CVE-2018-8174. This may be a bit more powerful. Shellcode is a little characteristic. Enjoy analysis of shellcode!