Request a Demo
Rewterz
Rewterz Threat Advisory – Cisco IOS XE Software Web UI Command Injection Vulnerabilities
October 15, 2019
Rewterz
Rewterz Threat Advisory – CVE-2019-8071 – Adobe Download Manager Privilege Escalation Vulnerability
October 16, 2019

Rewterz Threat Alert – Fallout Exploit Kit and Raccoon Stealer – IoCs

Severity

Medium

Analysis Summary

Fallout Exploit Kit is usually used to deliver ransomware (GandCrab, Kraken, Maze, Minotaur, Matrix and Stop), Banker Trojans (DanaBot) and information stealers (RaccoonStealer, AZORult, Vidar), and others.
Currently, it’s being used to deliver the Raccoon stealer. Exploit kits are being deployed on vulnerable systems via malicious ads. Because of the complex redirection chain provided by ad services, malicious ads remain an extremely effective attack vector to deliver exploits and, finally, malware. The initial redirection to the Fallout EK is performed via malvertising, using a dedicated ad server that provides malicious redirects. From the malicious ad, the browser is redirected to the exploit kit’s landing page. The page loads more JavaScript, then VBScript and then Flash exploits are delivered to vulnerable browsers.

image-1571139473.png

Finally, an encoded PowerShell script is downloaded and executed, which in turn downloads the malware payload and launches it. It’s a password and crypto stealer. Stolen data, along with machine and OS information is packed into a Log.zip file and exfiltrated.

Impact

  • Credential theft
  • Theft of auto-fill information and cookies
  • Crypto-wallet credential theft

Indicators of Compromise

Domain Name

  • yourfirmware[.]biz
  • comicsansfont[.]com
  • gonzalesnotdie[.]com
  • gorgantuaisastar[.]com

Malware Hashes:

MD5

  • 97d329f9a8ba40cc6b6dd1bb761cbe5c
  • d490bd6184419561350d531c6c771a50

SH256

  • 2db1b7d63e7dd9c7c5c949e9d80470419ef977849bf5419785729442e9ea7d44
  • 1e33e3aa6404a00978e10ffe9879f68f09c38ddb44533905cc733a7703b771d6

Source IP

  • 34[.]77[.]205[.]80

URL

  • hxxp[:]//91[.]90[.]192[.]214/JwVDfphxxp[:]//172[.]105[.]36[.]165/kr/url[.]php

Affected Products

  • Google Chrome
  • Google Chrome Canary
  • Vivaldi
  • Xpom
  • Comodo Dragon
  • Amigo
  • Orbitum
  • Opera
  • Bromium
  • Nichrome
  • Sputnik
  • Kometa
  • uCoz Uran
  • RockMelt
  • 7Star
  • Epic Privacy Browser
  • Elements Browser
  • CocCoc
  • TorBro
  • Shuhba
  • CentBrowser
  • Torch
  • Chedot
  • Superbird
  • Mozilla Firefox
  • Waterfox
  • SeaMonkey
  • Pale Moon

Remediation

  • Block threat indicators at their respective controls.
  • Do not visit suspicious websites displayed in random ads found on legitimate websites.
  • Keep the mentioned browsers patched and updated to the latest versions.
  • Avoid executing any files that are downloaded upon redirection.