New Lord Exploit Package Pushes njRAT and ERIS Ransomware

New Lord Exploit Package Pushes njRAT and ERIS Ransomware

A brand new equipment for web-based assaults calling itself Lord EK has been noticed originally of the month as a part of a malvertising chain that makes use of the PopCash advert community.

The exploit equipment (EK) leverages a use-after-free vulnerability in Adobe Flash and depends on the ngrok service that may arrange a safe connection to show to the web native servers behind NATs and firewalls.

Work in progress

Found by Virus Bulletin researcher Adrian Luca at a time when it was nonetheless beneath growth, Lord EK was named so due to a touchdown web page that carried this tag.


The equipment’s preliminary payload was njRAT, an outdated distant entry trojan with early variants traced to November 2012 and most well-liked by Nigerian scammers working enterprise electronic mail compromise (BEC) assaults.

A researcher observed that Lord EK then switched to model of ERIS, a chunk of ransomware delivered prior to now by different exploit kits equivalent to RIG and Azera.

In keeping with analysis from Jérôme Segura of Malwarebytes, the equipment makes use of a compromised web site for redirecting to a touchdown web page and it’s a part of a malvertising chain that makes use of the PopCash advert community.

The exploit is pushed by a perform that first checks for the presence of Flash Participant and its model. The second a part of the code within the touchdown web page gathers particulars in regards to the Flash model used on the host advert geo-location attributes in regards to the sufferer.

The vulnerability was used as a zero-day in an APT assault in opposition to the Russian FSBI “Polyclinic #2” medical clinic. Adobe patched it in December 2018 however the exploit was shortly adopted by a number of exploit kits, together with Spelevo.

After exploitation, Lord EK redirects the sufferer to the Google residence web page, Segura notes, including that this habits was additionally noticed with Spelevo.

With Flash set to die on the finish of 2020, exploit kits might quickly dwindle into extinction themselves. Nonetheless, the writer of Lord EK appears to be actively tweaking the equipment, says Segura.

“Though the vulnerabilities for Web Explorer and Flash Participant have been patched and each have a really small market share, utilization of the outdated Microsoft browser nonetheless continues in lots of nations.” – Jérôme Segura

Associated Articles:

Ransomware: Most Standard Malware in Underground Boards

Rig Exploit Package Pushing Eris Ransomware in Drive-by Downloads

New Exploit Package Spelevo Carries Bag of Outdated Methods

Sodinokibi Ransomware Now Pushed by Exploit Kits and Malvertising

The Week in Ransomware – August ninth 2019 – Summer season Doldrums

Leave a Reply

Notify of