{ "id": "9ca231ef-14eb-427c-baea-18b260fd03d0", "created_at": "2026-04-06T00:22:16.49153Z", "updated_at": "2026-04-10T13:12:24.438181Z", "deleted_at": null, "sha1_hash": "99b085d0e6d5e81180b269ec9dd3bc49e7988c40", "title": "Fallout Exploit Kit Used in Malvertising Campaign to Deliver GandCrab Ransomware | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2337917, "plain_text": "Fallout Exploit Kit Used in Malvertising Campaign to Deliver GandCrab\r\nRansomware | Mandiant\r\nBy Mandiant\r\nPublished: 2018-09-06 · Archived: 2026-04-02 10:56:07 UTC\r\nWritten by: Manish Sardiwal, Muhammad Umair, Zain Gardezi\r\nTowards the end of August 2018, FireEye identified a new exploit kit (EK) that was being served up as part of a malvertising\r\ncampaign affecting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.\r\nThe first instance of the campaign was observed on Aug. 24, 2018, on the domain finalcountdown[.]gq. Tokyo-based\r\nresearchers “nao_sec” identified an instance of this campaign on Aug. 29, and in their own blog post they refer to the exploit\r\nkit as Fallout Exploit Kit. As part of our research, we observed additional domains, regions, and payloads associated with\r\nthe campaign. Other than SmokeLoader being distributed in Japan, which is mentioned in the nao_sec blog post, we\r\nobserved GandCrab ransomware being distributed in the Middle East, which we will be focusing on in this blog post.\r\nFallout EK fingerprints the user browser profile and delivers malicious content if the user profile matches a target of interest.\r\nIf successfully matched, the user is redirected from a genuine advertiser page, via multiple 302 redirects, to the exploit kit\r\nlanding page URL. The complete chain from legit domain, cushion domains, and then to the exploit kit landing page is\r\nshown in Figure 1.\r\nFigure 1: Malvertisement redirection to Fallout Exploit Kit landing page\r\nThe main ad page prefetches cushion domain links while loading the ad and uses the tag to load separate links in cases\r\nwhere JavaScript is disabled in a browser (Figure 2).\r\nhttps://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nPage 1 of 16\n\nFigure 2: Content in the first ad page\r\nIn regions not mentioned earlier in this blog post, the ‘link rel=\"dns-prefetch\" href”’ tag has a different value and the ad does\r\nnot lead to the exploit kit. The complete chain of redirection via 302 hops is shown in Figure 3, Figure 4 and Figure 5.\r\nFigure 3: 302 redirect to exploit kit controlled cushion servers\r\nhttps://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nPage 2 of 16\n\nFigure 4: Another redirection before exploit kit landing page\r\nFigure 5: Last redirect before user reaches exploit kit landing page\r\nURIs for the landing page keep changing and are too generic for a pattern, making it harder for IDS solutions that rely on\r\ndetections based on particular patterns.\r\nDepending on browser/OS profiles and the location of the user, the malvertisement either delivers the exploit kit or tries to\r\nreroute the user to other social engineering campaigns. For example, in the U.S. on a fully patched macOS system,\r\nmalvertising redirects users to social engineering attempts similar to those shown in Figure 6 and Figure 7.\r\nhttps://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nPage 3 of 16\n\nFigure 6: Fake AV prompt for Mac users\r\nFigure 7: Fake Flash download prompt\r\nThe strategy is consistent with the rise of social engineering attempts FireEye has been observing for some time, where bad\r\nactors use them to target users that are on fully patched systems or any OS/software profile that is not ideal for any exploit\r\nattempts due to software vulnerability. The malvertisement redirect involved in the campaign has been abused heavily in\r\nmany social engineering campaigns in North America as well.\r\nFireEye Dynamic Threat Intelligence (DTI) shows that this campaign has triggered alerts from customers in the government,\r\ntelecom and healthcare sectors.\r\nLanding Page\r\nhttps://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nPage 4 of 16\n\nInitially, the landing page only contained code for a VBScript vulnerability (CVE-2018-8174). However, Flash embedding\r\ncode was later added for more reliable execution of the payload.\r\nThe landing page keeps the VBScript code as Base64 encoded text in the ‘’ tag. It loads a JScript function when the page\r\nloads, which decodes the next stage VBScript code and executes it using the VBScript ExecuteGlobal function (Figure 8).\r\nFigure 8: Snippet of landing page\r\nFigure 9 shows the JScript function that decodes the malicious VBScript code.\r\nFigure 9: Base64 decode function\r\nFlash embedding code is inside the ‘noscript’ tag and loads only when scripts are disabled (Figure 10).\r\nhttps://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nPage 5 of 16\n\nFigure 10: Flash embedding code\r\nFigure 11: Decoded VBScript\r\nThe shellcode downloads a XOR’d payload at %temp% location, decrypts it, and executes it (Figure 12).\r\nhttps://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nPage 6 of 16\n\nFigure 12: XOR binary transfer that decrypts to 4072690b935cdbfd5c457f26f028a49c\r\nPayload Analysis (4072690b935cdbfd5c457f26f028a49c)\r\nThe malware contains PE loader code that is used for initial loading and final payload execution (Figure 13).\r\nFigure 13: Imports resolver from the PE loader\r\nThe unpacked DLL 83439fb10d4f9e18ea7d1ebb4009bdf7 starts by initializing a structure of function pointers to the\r\nmalware's core functionality (Figure 14).\r\nhttps://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nPage 7 of 16\n\nFigure 14: Core structure populated with function pointers\r\nIt then enumerates all running processes, creates their crc32 checksums, and tries to match them against a list of blacklisted\r\nchecksums. The list of checksums and their corresponding process names are listed in Table 1.\r\nCRC32 Checksum Process Name\r\n99DD4432h vmwareuser.exe\r\n2D859DB4h vmwareservice.exe\r\n64340DCEh vboxservice.exe\r\n63C54474h vboxtray.exe\r\n349C9C8Bh Sandboxiedcomlaunch.exe\r\n5BA9B1FEh procmon.exe\r\n3CE2BEF3h regmon.exe\r\n3D46F02Bh filemon.exe\r\n77AE10F7h wireshark.exe\r\n0F344E95Dh netmon.exe\r\n278CDF58h vmtoolsd.exe\r\nTable 1: Blacklisted checksums\r\nIf any process checksums match, the malware goes into an infinite loop, effectively becoming benign from this point onward\r\n(Figure 15).\r\nhttps://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nPage 8 of 16\n\nFigure 15: Blacklisted CRC32 check\r\nIf this check passes, a new thread is started in which the malware first acquires \"SeShutdownPrivilege\" and checks its own\r\nimage path, OS version, and architecture (x86/x64). For OS version 6.3 (Windows 8.1/Windows Server 2012), the following\r\nsteps are taken:\r\nAcquire \"SeTakeOwnershipPrivilege\", and take ownership of \"C:\\Windows\\System32\\ctfmon.exe\"\r\nIf running under WoW64, disable WoW64 redirection via Wow64DisableWow64FsRedirection to be able to replace\r\n64-bit binary\r\nReplace \"C:\\Windows\\System32\\ctfmon.exe\" with a copy of itself\r\nCheck whether \"ctfmon.exe\" is already running. If not, add itself to startup through the registry key\r\n\"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"\r\nCall ExitWindowsEx to reboot the system\r\nIn other OS versions, the following steps are taken:\r\nAcquire \"SeTakeOwnershipPrivilege\", and take ownership of \"C:\\Windows\\System32\\rundll32.exe\"\r\nIf running under WoW64, disable WoW64 redirection via Wow64DisableWow64FsRedirection to be able to replace\r\n64-bit binary\r\nReplace \"C:\\Windows\\System32\\rundll32.exe\" with a copy of itself\r\nAdd itself to startup through the registry key\r\n\"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"\r\nCall ExitWindowsEx to reboot the system\r\nIn either case, if the malware fails to replace system files successfully, it will copy itself at the locations listed in Table 2, and\r\nexecutes via ShellExecuteW.\r\nDump Path Dump Name\r\nhttps://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nPage 9 of 16\n\n%APPDATA%\\Microsoft {random alphabets}.exe\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup {random alphabets}.pif\r\nTable 2: Alternate dump paths\r\nOn execution the malware checks if it is running as ctfmon.exe/rundll32 or as an executable in Table 2. If this check passes,\r\nthe downloader branch starts executing (Figure 16).\r\nFigure 16: Downloader code execution after image path checks\r\nA mutex \"Alphabeam ldr\" is created to prevent multiple executions. Here payload URL decoding happens. Encoded data is\r\ncopied to a blob via mov operations (Figure 17).\r\nhttps://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nPage 10 of 16\n\nFigure 17: Encoded URL being copied\r\nA 32-byte multi-XOR key is set up with the algorithm shown in Figure 18.\r\nhttps://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nPage 11 of 16\n\nFigure 18: XOR key generation\r\nXOR Key\r\n(83439fb10d4f9e18ea7d1ebb4009bdf7)\r\n{ 0x25, 0x24, 0x60, 0x67, 0x00, 0x20, 0x23, 0x65, 0x6c, 0x00, 0x2f,\r\n0x2e, 0x6e, 0x69, 0x00, 0x2a, 0x35, 0x73, 0x76, 0x00, 0x31, 0x30,\r\n0x74, 0x73, 0x00, 0x3c, 0x3f, 0x79, 0x78, 0x00, 0x3b, 0x3a }\r\nFinally, the actual decoding is done using PXOR with XMM registers (Figure 19).\r\nhttps://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nPage 12 of 16\n\nFigure 19: Payload URL XOR decoding\r\nThis leads the way for the downloader switch loop to execute (Figure 20).\r\nFigure 20: Response/Download handler\r\nTable 3 shows a breakdown of HTTP requests, their expected responses (where body = HTTP response body), and\r\ncorresponding actions.\r\nRequest\r\n#\r\nRequest URL\r\n(Expected\r\nResponse)\r\nbody+0x0\r\nbody+0x4 body+0x7 Action\r\n1 hxxp://91[.]210.104.247/update.bin 0x666555 0x0\r\nurl for\r\nrequest #2\r\nDownload payload via\r\nrequest #2, verify MZ\r\nand PE header, execute\r\nvia CreateProcessW\r\nhttps://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nPage 13 of 16\n\n1 hxxp://91[.]210.104.247/update.bin 0x666555 0x1 N/A\r\nSupposed to be\r\nexecuting already\r\ndownloaded payload via\r\nCreateProcess.\r\nHowever, the\r\nfunctionality has been\r\nshortcircuited; instead, it\r\ndoes nothing and\r\ncontinues loop after\r\nsleep\r\n1 hxxp://91[.]210.104.247/update.bin 0x666555 0x2\r\nurl for\r\nrequest #2\r\nDownload payload via\r\nrequest #2, verify MZ\r\nand PE header, load it\r\nmanually in native\r\nprocess space using its\r\nPE loader module\r\n1 hxxp://91[.]210.104.247/update.bin 0x666555 0x3 N/A\r\nSupposed to be\r\nexecuting already\r\ndownloaded payload via\r\nits PE loader. However,\r\nthe functionality has\r\nbeen shortcircuited;\r\ninstead, it does nothing\r\nand continues loop after\r\nsleep\r\n1 hxxp://91[.]210.104.247/update.bin 0x666555 0x4\r\nurl for\r\nrequest #3\r\nPerform request #3\r\n1 hxxp://91[.]210.104.247/update.bin N/A N/A N/A\r\nSleep for 10 minutes\r\nand continue from\r\nrequest #1\r\n2 from response #1 PE payload N/A N/A\r\nExecute via\r\nCreateProcessW or\r\ninternal PE loader,\r\ndepending on previous\r\nresponse\r\n3 from response #1 N/A N/A N/A\r\nNo action taken. Sleep\r\nfor 10 minutes and start\r\nwith request #1\r\nTable 3: HTTP requests, responses, and actions\r\nThe request sequence leads to GandCrab ransomware being fetched and manually loaded into memory by the malware.\r\nFigure 21 and Figure 22 show sample request #1 and request #2 respectively, leading to the download and execution of\r\nGandCrab (8dbaf2fda5d19bab0d7c1866e0664035).\r\nhttps://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nPage 14 of 16\n\nFigure 21: Request #1 fetching initial command sequence from payload URL\r\nFigure 22: Request #2 downloads GandCrab ransomware that gets manually loaded into memory\r\nConclusion\r\nIn recent years, arrests and disruptions of underground operations have led to exploit kit activity declining heavily. Still,\r\nexploit kits pose a significant threat to users who are not running fully patched systems. Nowadays we see more exploit kit\r\nactivity in the Asia Pacific region, where users tend to have more vulnerable software. Meanwhile, in North America, the\r\nfocus tends to be on more straightforward social engineering campaigns.\r\nFireEye Network Security detects all exploits, social engineering campaigns, malware, and command and control\r\ncommunication mentioned in this post. MVX technology used in multiple FireEye products detects the first stage and\r\nsecond stage malware described in this post.\r\nhttps://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nPage 15 of 16\n\nIndicators of Compromise\r\nDomain / IP / Address / Filename MD5 Hash Or Description\r\nfinalcountdown.gq, naosecgomosec.gq,\r\nladcbteihg.gq, dontneedcoffee.gq\r\nExploit kit domains\r\n78.46.142.44, 185.243.112.198 Exploit kit IPs\r\n47B5.tmp 4072690b935cdbfd5c457f26f028a49\r\nhxxp://46.101.205.251/wt/ww.php\r\nhxxp://107.170.215.53/workt/trkmix.phpdevice=desktop\u0026country=AT\u0026connection.type=\r\nBROADBAND\u0026clickid=58736927880257537\u0026countryname=\r\nAustria\u0026browser=ie\u0026browserversion=11\u0026carrier=%3F\u0026cost=0.0004922\u0026isp=\r\nBAXALTA+INCORPORATED+ASN\u0026os=windows\u0026osversion=6.1\u0026useragent=\r\nMozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B\r\n+rv%3A11.0%29+like+Gecko\u0026campaignid=1326906\u0026language=de\u0026zoneid=1628971\r\nRedirect URL examples used betwee\r\nmalvertisement and exploit kit\r\ncontrolled domains\r\n91.210.104[.]247/update.bin Second stage payload download URL\r\n91.210.104[.]247/not_a_virus.dll\r\n8dbaf2fda5d19bab0d7c1866e066403\r\nSecond stage payload (GandCrab\r\nransomware)\r\nAcknowledgements\r\nWe would like to thank Hassan Faizan for his contributions to this blog post.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nhttps://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware" ], "report_names": [ "fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434936, "ts_updated_at": 1775826744, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/99b085d0e6d5e81180b269ec9dd3bc49e7988c40.pdf", "text": "https://archive.orkl.eu/99b085d0e6d5e81180b269ec9dd3bc49e7988c40.txt", "img": "https://archive.orkl.eu/99b085d0e6d5e81180b269ec9dd3bc49e7988c40.jpg" } }