Utilizing a remote code execution vulnerability found in older versions of the Windows VBScript, and an arbitrary code execution in Adobe Flash Player software, attackers were able to pass off their malware to credulous victims. A good preponderance of activity from Fallout EK has been seen in the Middle East, but there have also been various reports coming from the Asia Pacific region, as well as southern parts of Europe. Fallout uses codes, CVE-2018-4878 (Adobe) and-2018-8174 (Windows) to intricately select its victims after getting them to visit sites that contain malware-filled advertisements. Once this is done, the hackers select the type of attack they will run once they have fingerprinted the victim to find out more about them. When a target of interest is found, they are forced to the landing page for Fallout EK using multiple 302 redirects. The URIs (Uniform Resource Identifier) for the landing page are continuously changing, making it difficult for detection services that rely on pattern-based URIs to classify this activity.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased