New Lord Exploit Kit Pushes njRAT and ERIS Ransomware

A new kit for web-based attacks calling itself Lord EK has been spotted at the beginning of the month as part of a malvertising chain that uses the PopCash ad network.

The exploit kit (EK) leverages a use-after-free vulnerability in Adobe Flash and relies on the ngrok service that can set up a secure connection to expose to the internet local servers behind NATs and firewalls.

Work in progress

Discovered by Virus Bulletin researcher Adrian Luca at a time when it was still under development, Lord EK was named so because of a landing page that carried this tag.

The kit's initial payload was njRAT, an old remote access trojan with early variants traced to November 2012 and preferred by Nigerian scammers running business email compromise (BEC) attacks.

A researcher noticed that Lord EK then switched to version 2.0.3 of ERIS, a piece of ransomware delivered in the past by other exploit kits such as RIG and Azera.

According to research from Jérôme Segura of Malwarebytes, the kit uses a compromised website for redirecting to a landing page and it is part of a malvertising chain that uses the PopCash ad network.

The exploit is pushed by a function that first checks for the presence of Flash Player and its version. The second part of the code in the landing page gathers details about the Flash version used on the host ad geo-location attributes about the victim.

The vulnerability was used as a zero-day in an APT attack against the Russian FSBI "Polyclinic #2" medical clinic. Adobe patched it in December 2018 but the exploit was quickly adopted by multiple exploit kits, including Spelevo.

After exploitation, Lord EK redirects the victim to the Google home page, Segura notes, adding that this behavior was also observed with Spelevo.

With Flash set to die at the end of 2020, exploit kits may soon dwindle into extinction themselves. However, the author of Lord EK seems to be actively tweaking the kit, says Segura.