First
At the end of August 2018, we observed a new Exploit Kit. Its behavior (code generation using html) and URL pattern are similar to Nuclear Pack Exploit Kit. Therefore we named it "Fallout Exploit Kit". Fallout Exploit Kit is using CVE-2018-4878 and CVE-2018-8174. That code is distinctive and interesting.Traffic
On the afternoon of August 29th, we met the Fallout Exploit Kit when we are crawling ad-networks using Japanese IP address.
Accessing their landing page will read the exploit code of CVE-2018-8174 consisting of large span tag and the exploit code of CVE-2018-4878 consisting of object tag.
CVE-2018-4878
The swf file read by the object tag uses CVE-2018-4878.
The swf file is very similar to PoC.
CVE-2018-8174
The large span tag is VBScript code encoded with custom Base64, it is decoded with JavaScript and executed by "ExecuteGlobal" of VBScript.
If execution fails, change window.location. The redirect destination loads the landing page again. If it fails, the dummy website will be displayed.
The decoded result is obfuscated PoC of CVE-2018-8174. The basic structure does not change.
Shellcode generation processing which is the core of this exploit code is encoded by custom Base64.
Shellcode
The shell code flow is as follows.[Download Encoded Payload] -> [Decode Payload] -> [Execute]
stage1:
Shellcode was further encoded by xor 0x43.
In the decoded code, the following URL is hard-coded. In this case, malware download URL is "http[:]//naosecgomosec[.]gq/Elisions-Riboza-Rigwiddy-Heapstead/8275tv9/PMJqV/Begirdle.cfml?2TV5pG=hOqeWMno&OIfd64x=Shallops_Summative_1050_Parvenu".
stage2:
Shellcode used the ror13AddUpperDllnameHash32 algorithm for the API hash.
Here is a list of hashed APIs.
The download payload is encoded. Payload is encoded using xor with hard-coded key. In this case, key is "APyfhCxJ". It can be decoded with the algorithm of the following script.
Malware
The exe file executed by shellcode is "Nullsoft Installer self-extracting archive". This will run SmokeLoader and two exe files will be downloaded.
New.exe
This is a .NET binary obfuscated by Eazfuscator .NET. We read this, but we could not find the family name. Probably it is Bot. This program contained strings encrypted by RijndaelManaged.
Searching these strings, we found VK_Intel's tweet. It probably is related.
Calls http://karnevallizdageil[.com/exodus/gate.php -> not sure what this variant is.— Vitali Kremez (@VK_Intel) 2018年6月25日
Loader.exe
It uses vbs and ps1 to create a file called "vstools.exe" and run it.
"vstools.exe" is obfuscated by ".NET Reactor". When decoding it, you can see that it is CoalaBot.
IOC
Fallout Exploit Kit
- naosecgomosec.gq (185.243.112.198)
- c148012f9ce59daea1abce2cfaac9c0732e86b7eb00468222b63436306c39d26
Nullsoft Installer self-extracting archive
- 60d8c76564e9c6ca8435b8e83be9743cc7793091856d7d624eb5f899d055024a
SmokeLoader
- killermansopitu.com (185.177.23.245)
- 6626c19e3f0d2fa6d2a16dcda9e3907c1af6acb223d58815ff6bb8f538b698f4
- 6625c5281a46079b5f9b20ded3426d2022a4f796f2325878bdc59d6bb9c7c36c
- 5b5a961e9f5bc9e8adc9562caa8c6e99be456fa211d9df7df996b2a18e896d74
- 82.196.2.225
- 185.170.43.95
Bot (New.exe)
- 845888758736860a37b969cadcbaa6ed8f7db601c3597ecae477331bf6b81eb4
- karnevallizdageil.com (185.239.238.204)
- idontlikeitwhenyoudoit.ru
- merhabaslm.su
- ichockealotkrug.com
- wheniseeyourdedows.com
- justreggitifyouknowit.ru
- himynameisnoah.su
- iliketopunchnoah.com
CoalaBot
- 65f85f643efdcde095b905aabbaa40fbdae89a0209614ada8f43f1d6295f7045
- 185.170.43.95
