- Researchers warn that kits like the Fallout are still out there and fully active.
- People browsing compromised websites may end up having ransomware or infostealers installed on their systems.
- The infection happens automatically, requiring no further action from the visitor of the website.
Unsuspected wanderers of the internet are still falling victims of the Fallout exploit kit which was first spotted in the wild about five months ago. Fallout is lurking in compromised websites, having entered thereby exploiting known vulnerabilities and having installed malware on the host. The visitors of the compromised website are running the risk of getting infected by ransomware or infostealers, and in the case of the Fallout kit, researchers from the Cybereason firm are warning that it’s currently the GandCrab ransomware and the AZORult infostealer.
The infection happens simply by browsing a compromised web page, with no further action required by the victim. The malicious code runs automatically to download the malware onto the visitor’s machine, and then the malware executes in the background. Through XSS or Flash Player exploits, the actors set up multiple redirections that lead the victim to the desired landing page which then triggers the infection code. According to the researchers, most of the compromised pages are to be found in porn websites due to the high popularity of these sites, as well as the fact that many of their web admins don’t update their 3rd party tools and plugins.
Once access to the victim’s machine has been established, Fallout executes a PowerShell instance to run base64-encoded commands to execute the final payload. Using PowerShell helps avoid AV detection, or more specifically, the Antimalware Scan Interface protection in Windows. Of the two payloads, the GandGrab has been dealt with by BitDefender recently, and while people will still have to go through the tedious process of decrypting their files, the menace of the crab is no longer an effective one. Contrariwise, the AZORult payload is a much more problematic one for those unlucky to receive it.
AZORult can steal bitcoin wallet IDs, steal locally stored files, saved or cached login credentials and the associated data, web cookies from a set of different browsers, and more. It’s an actively developed infostealer that is popular among cyber-crooks, being used in sextortion campaigns, email spamming campaigns, and even fake VPN products. To tackle the problem of riskful browsing, people need to use robust anti-malware tools from reputable vendors, and web admins need to make sure that their software is up to date and that they are using only the components and 3rd party software that they really need.