A Chronicle of Fallout

Rintaro Koike, Shota Nakajima/nao_sec

Fallout is currently the most sophisticated Exploit Kit. It appeared in August 2018 and underwent four major updates over the course of a year and its powerful nature make it a prominent threat.

We have seen the evolutionary process from birth to the present day and posted some of the details on our blog. However, not all has been released. For example, the backends, such as their infrastructure and API, are still veiled in secrecy.

In this talk we will present a complete timeline, from the birth of Fallout to present day. First, we will introduce the observational analysis environment, and how we found our samples. We have created an environment that automatically observes and analyzes Drive-by Download attacks. This system is made possible using open-source software. Next, we will expand on the evolution of Fallout and its features, including landing page obfuscation techniques, PowerShell code, and obfuscated shellcode.

Focusing on Fallout v4 (the current version), we will explain in detail the advanced techniques used (Diffie-Hellman key exchange, VM detection and process detection). In addition, we will remove the veil and introduce the API we actually observed in their infrastructure that has never been released before.

Finally, we will categorize the attack campaigns that are using Fallout and present what kind of traffic and what malware has been sent, including IOCs.

November 8 at 10:00 - 10:30, Stage B

Rintaro Koike Rintaro Koike is a Security Analyst at NTT Security (Japan) KK. In addition, he is the founder of “nao_sec” and malicious traffic/script/document analyst. And, he is the speaker/presenter of Japan Security Analyst Conference 2018/19 hosted by JPCERT/CC, SECCON 2018 Conference, HITCON Community 2019 and Black Hat USA 2018 Arsenal.

Shota Nakajima Shota Nakajima is a Security Analyst at Cyber Defense Institute, Inc. in Japan. He has been engaged in malware analysis and incident response. In addition, he belongs to the non-profit cyber security research team (a.k.a. nao_sec) and analyzing malware in the wild. He is the speaker of Japan Security Analyst Conference 2018/2019 hosted by JPCERT/CC and HITCON Community 2019, Black Hat EUROPE 2018 Arsenal Presenter