Threat Watch

Fallout EK Returns With New Features

After being very relevant over last year, Fallout EK is back with amplified features. While it was gone, the RIG EK was carrying out attacks. HookAds is the first campaign of the new year to be seen spreading the newest form of Fallout. It is believed to have started on the 15th of January, boosting its efforts to the GandCrab ransomware.  The updated EK uses CVE-2018-15982, which allows for remote code to be executed in Flash Player. Other new tweaks include HTTPS support, a reformatted landing page, and the adoption of Powershell to run its payloads. “One aspect that caught our attention was how Fallout was delivering its payload via Powershell rather than using iexplore.exe. The Base64 encoded Powershell command calls out the payload URL and loads it in its own way. This technique is most likely an attempt at evasion, as traditionally we’d expect the Internet Explorer process to drop the payload,” said a representative for Malwarebytes. Don’t expect much from it just yet as it is still being developed, but threat actors will be searching for systems still running on legacy software and using unpatched machines.

ANALYST NOTES

Since it is still in the development stages, it is difficult to determine how attacks will be carried out. For now, users may want to update their computers and possibly discuss a transition from using legacy software.