Fallout Exploit Kit Used in Malvertising Campaign to Deliver GandCrab
Ransomware | Mandiant
By Mandiant
Published: 2018-09-06 · Archived: 2026-04-02 10:56:07 UTC
Written by: Manish Sardiwal, Muhammad Umair, Zain Gardezi
Towards the end of August 2018, FireEye identified a new exploit kit (EK) that was being served up as part of a malvertising
campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.
The first instance of the campaign was observed on Aug. 24, 2018, on the domain finalcountdown[.]gq. Tokyo-based
researchers “nao_sec” identified an instance of this campaign on Aug. 29, and in their own blog post they refer to the exploit
kit as Fallout Exploit Kit. As part of our research, we observed additional domains, regions, and payloads associated with
the campaign. Other than SmokeLoader being distributed in Japan, which is mentioned in the nao_sec blog post, we
observed GandCrab ransomware being distributed in the Middle East, which we will be focusing on in this blog post.
Fallout EK fingerprints the user browser profile and delivers malicious content if the user profile matches a target of interest.
If successfully matched, the user is redirected from a genuine advertiser page, via multiple 302 redirects, to the exploit kit
landing page URL. The complete chain from legit domain, cushion domains, and then to the exploit kit landing page is
shown in Figure 1.
Figure 1: Malvertisement redirection to Fallout Exploit Kit landing page
The main ad page prefetches cushion domain links while loading the ad and uses the tag to load separate links in cases
where JavaScript is disabled in a browser (Figure 2).
https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
Page 1 of 16

Figure 2: Content in the first ad page
In regions not mentioned earlier in this blog post, the ‘link rel="dns-prefetch" href”’ tag has a different value and the ad does
not lead to the exploit kit. The complete chain of redirection via 302 hops is shown in Figure 3, Figure 4 and Figure 5.
Figure 3: 302 redirect to exploit kit controlled cushion servers
https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
Page 2 of 16

Figure 4: Another redirection before exploit kit landing page
Figure 5: Last redirect before user reaches exploit kit landing page
URIs for the landing page keep changing and are too generic for a pattern, making it harder for IDS solutions that rely on
detections based on particular patterns.
Depending on browser/OS profiles and the location of the user, the malvertisement either delivers the exploit kit or tries to
reroute the user to other social engineering campaigns. For example, in the U.S. on a fully patched macOS system,
malvertising redirects users to social engineering attempts similar to those shown in Figure 6 and Figure 7.
https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
Page 3 of 16

Figure 6: Fake AV prompt for Mac users
Figure 7: Fake Flash download prompt
The strategy is consistent with the rise of social engineering attempts FireEye has been observing for some time, where bad
actors use them to target users that are on fully patched systems or any OS/software profile that is not ideal for any exploit
attempts due to software vulnerability. The malvertisement redirect involved in the campaign has been abused heavily in
many social engineering campaigns in North America as well.
FireEye Dynamic Threat Intelligence (DTI) shows that this campaign has triggered alerts from customers in the government,
telecom and healthcare sectors.
Landing Page
https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
Page 4 of 16

Initially, the landing page only contained code for a VBScript vulnerability (CVE-2018-8174). However, Flash embedding
code was later added for more reliable execution of the payload.
The landing page keeps the VBScript code as Base64 encoded text in the ‘’ tag. It loads a JScript function when the page
loads, which decodes the next stage VBScript code and executes it using the VBScript ExecuteGlobal function (Figure 8).
Figure 8: Snippet of landing page
Figure 9 shows the JScript function that decodes the malicious VBScript code.
Figure 9: Base64 decode function
Flash embedding code is inside the ‘noscript’ tag and loads only when scripts are disabled (Figure 10).
https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
Page 5 of 16

Figure 10: Flash embedding code
Figure 11: Decoded VBScript
The shellcode downloads a XOR’d payload at %temp% location, decrypts it, and executes it (Figure 12).
https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
Page 6 of 16

Figure 12: XOR binary transfer that decrypts to 4072690b935cdbfd5c457f26f028a49c
Payload Analysis (4072690b935cdbfd5c457f26f028a49c)
The malware contains PE loader code that is used for initial loading and final payload execution (Figure 13).
Figure 13: Imports resolver from the PE loader
The unpacked DLL 83439fb10d4f9e18ea7d1ebb4009bdf7 starts by initializing a structure of function pointers to the
malware's core functionality (Figure 14).
https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
Page 7 of 16

Figure 14: Core structure populated with function pointers
It then enumerates all running processes, creates their crc32 checksums, and tries to match them against a list of blacklisted
checksums. The list of checksums and their corresponding process names are listed in Table 1.
CRC32 Checksum Process Name
99DD4432h vmwareuser.exe
2D859DB4h vmwareservice.exe
64340DCEh vboxservice.exe
63C54474h vboxtray.exe
349C9C8Bh Sandboxiedcomlaunch.exe
5BA9B1FEh procmon.exe
3CE2BEF3h regmon.exe
3D46F02Bh filemon.exe
77AE10F7h wireshark.exe
0F344E95Dh netmon.exe
278CDF58h vmtoolsd.exe
Table 1: Blacklisted checksums
If any process checksums match, the malware goes into an infinite loop, effectively becoming benign from this point onward
(Figure 15).
https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
Page 8 of 16

Figure 15: Blacklisted CRC32 check
If this check passes, a new thread is started in which the malware first acquires "SeShutdownPrivilege" and checks its own
image path, OS version, and architecture (x86/x64). For OS version 6.3 (Windows 8.1/Windows Server 2012), the following
steps are taken:
Acquire "SeTakeOwnershipPrivilege", and take ownership of "C:\Windows\System32\ctfmon.exe"
If running under WoW64, disable WoW64 redirection via Wow64DisableWow64FsRedirection to be able to replace
64-bit binary
Replace "C:\Windows\System32\ctfmon.exe" with a copy of itself
Check whether "ctfmon.exe" is already running. If not, add itself to startup through the registry key
"\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Call ExitWindowsEx to reboot the system
In other OS versions, the following steps are taken:
Acquire "SeTakeOwnershipPrivilege", and take ownership of "C:\Windows\System32\rundll32.exe"
If running under WoW64, disable WoW64 redirection via Wow64DisableWow64FsRedirection to be able to replace
64-bit binary
Replace "C:\Windows\System32\rundll32.exe" with a copy of itself
Add itself to startup through the registry key
"\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Call ExitWindowsEx to reboot the system
In either case, if the malware fails to replace system files successfully, it will copy itself at the locations listed in Table 2, and
executes via ShellExecuteW.
Dump Path Dump Name
https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
Page 9 of 16

%APPDATA%\Microsoft {random alphabets}.exe
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup {random alphabets}.pif
Table 2: Alternate dump paths
On execution the malware checks if it is running as ctfmon.exe/rundll32 or as an executable in Table 2. If this check passes,
the downloader branch starts executing (Figure 16).
Figure 16: Downloader code execution after image path checks
A mutex "Alphabeam ldr" is created to prevent multiple executions. Here payload URL decoding happens. Encoded data is
copied to a blob via mov operations (Figure 17).
https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
Page 10 of 16

Figure 17: Encoded URL being copied
A 32-byte multi-XOR key is set up with the algorithm shown in Figure 18.
https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
Page 11 of 16

Figure 18: XOR key generation
XOR Key
(83439fb10d4f9e18ea7d1ebb4009bdf7)
{ 0x25, 0x24, 0x60, 0x67, 0x00, 0x20, 0x23, 0x65, 0x6c, 0x00, 0x2f,
0x2e, 0x6e, 0x69, 0x00, 0x2a, 0x35, 0x73, 0x76, 0x00, 0x31, 0x30,
0x74, 0x73, 0x00, 0x3c, 0x3f, 0x79, 0x78, 0x00, 0x3b, 0x3a }
Finally, the actual decoding is done using PXOR with XMM registers (Figure 19).
https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
Page 12 of 16

Figure 19: Payload URL XOR decoding
This leads the way for the downloader switch loop to execute (Figure 20).
Figure 20: Response/Download handler
Table 3 shows a breakdown of HTTP requests, their expected responses (where body = HTTP response body), and
corresponding actions.
Request
#
Request URL
(Expected
Response)
body+0x0
body+0x4 body+0x7 Action
1 hxxp://91[.]210.104.247/update.bin 0x666555 0x0
url for
request #2
Download payload via
request #2, verify MZ
and PE header, execute
via CreateProcessW
https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
Page 13 of 16

1 hxxp://91[.]210.104.247/update.bin 0x666555 0x1 N/A
Supposed to be
executing already
downloaded payload via
CreateProcess.
However, the
functionality has been
shortcircuited; instead, it
does nothing and
continues loop after
sleep
1 hxxp://91[.]210.104.247/update.bin 0x666555 0x2
url for
request #2
Download payload via
request #2, verify MZ
and PE header, load it
manually in native
process space using its
PE loader module
1 hxxp://91[.]210.104.247/update.bin 0x666555 0x3 N/A
Supposed to be
executing already
downloaded payload via
its PE loader. However,
the functionality has
been shortcircuited;
instead, it does nothing
and continues loop after
sleep
1 hxxp://91[.]210.104.247/update.bin 0x666555 0x4
url for
request #3
Perform request #3
1 hxxp://91[.]210.104.247/update.bin N/A N/A N/A
Sleep for 10 minutes
and continue from
request #1
2 from response #1 PE payload N/A N/A
Execute via
CreateProcessW or
internal PE loader,
depending on previous
response
3 from response #1 N/A N/A N/A
No action taken. Sleep
for 10 minutes and start
with request #1
Table 3: HTTP requests, responses, and actions
The request sequence leads to GandCrab ransomware being fetched and manually loaded into memory by the malware.
Figure 21 and Figure 22 show sample request #1 and request #2 respectively, leading to the download and execution of
GandCrab (8dbaf2fda5d19bab0d7c1866e0664035).
https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
Page 14 of 16

Figure 21: Request #1 fetching initial command sequence from payload URL
Figure 22: Request #2 downloads GandCrab ransomware that gets manually loaded into memory
Conclusion
In recent years, arrests and disruptions of underground operations have led to exploit kit activity declining heavily. Still,
exploit kits pose a significant threat to users who are not running fully patched systems. Nowadays we see more exploit kit
activity in the Asia Pacific region, where users tend to have more vulnerable software. Meanwhile, in North America, the
focus tends to be on more straightforward social engineering campaigns.
FireEye Network Security detects all exploits, social engineering campaigns, malware, and command and control
communication mentioned in this post. MVX technology used in multiple FireEye products detects the first stage and
second stage malware described in this post.
https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
Page 15 of 16

Indicators of Compromise
Domain / IP / Address / Filename MD5 Hash Or Description
finalcountdown.gq, naosecgomosec.gq,
ladcbteihg.gq, dontneedcoffee.gq
Exploit kit domains
78.46.142.44, 185.243.112.198 Exploit kit IPs
47B5.tmp 4072690b935cdbfd5c457f26f028a49
hxxp://46.101.205.251/wt/ww.php
hxxp://107.170.215.53/workt/trkmix.phpdevice=desktop&country=AT&connection.type=
BROADBAND&clickid=58736927880257537&countryname=
Austria&browser=ie&browserversion=11&carrier=%3F&cost=0.0004922&isp=
BAXALTA+INCORPORATED+ASN&os=windows&osversion=6.1&useragent=
Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B
+rv%3A11.0%29+like+Gecko&campaignid=1326906&language=de&zoneid=1628971
Redirect URL examples used betwee
malvertisement and exploit kit
controlled domains
91.210.104[.]247/update.bin Second stage payload download URL
91.210.104[.]247/not_a_virus.dll
8dbaf2fda5d19bab0d7c1866e066403
Second stage payload (GandCrab
ransomware)
Acknowledgements
We would like to thank Hassan Faizan for his contributions to this blog post.
Posted in
Threat Intelligence
Security & Identity
Source: https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
https://www.mandiant.com/resources/blog/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware
Page 16 of 16