Lord Exploit Kit Rises, Delivers njRAT and Eris Ransomware

There’s a new player in the exploit kit landscape. Dubbed Lord, this new exploit kit was initially seen delivering the njRAT malware (detected by Trend Micro as Backdoor.MSIL.BLADABINDI.IND) before distributing the Eris ransomware  (Ransom.Win32.ERIS.C). 

NjRAT is a known information stealer and backdoor whose capabilities are constantly reworked or updated, given how it’s readily shared in the cybercriminal underground. The Eris ransomware, meanwhile, was first seen in May being distributed through a malvertising campaign that employed the Rig exploit kit

[RELATED NEWS:  How a Spam Campaign Is Using Malicious Documents Embedded with Exploit for Adobe Flash Vulnerabilities, Including CVE-2018-15982] 

Lord first checks if the affected system has Adobe Flash Player. If the machine has the software installed, Lord will attempt to use an exploit (Trojan.SWF.CVE201815982.AE) that takes advantage of CVE-2018-15982, a vulnerability in Adobe Flash, to deliver its payload. The vulnerability, patched in December 2018, is also exploited by the Spelevo and Greenflash Sundown exploit kits, the latter of which was recently used by the ShadowGate campaign to spread cryptocurrency-mining malware. As noted in a Trend Micro research on threat hunting via social media, the same vulnerability was involved in an attack that targeted a healthcare organization in Russia. 

Lord was first uncovered by a Virus Bulletin researcher, Adrian Luca, in attack chains that employed malvertising, or the use of malicious or hijacked advertisements to spread malware, on the PopCash ad network. The malvertising component used a compromised site to divert unwitting users into a landing page hosting the exploit kit. 

[READ: Cybercrime and Exploits: Attacks on Unpatched Systems] 

Further analysis by researchers at Malwarebytes noted Lord’s use of ngrok, a service that enables developers to expose their local servers to the internet when testing their applications or websites, to easily generate randomized subdomains. Seldom seen in other exploit kits, this can enable Lord’s operators to simply replace subdomains once they’ve been detected or blocked. 

Also of note is Lord’s redirection of the webpage to Google’s home page after the payload is delivered. Also done by Spelevo, this action can deceive an unwitting user into thinking that nothing is amiss. 

[READ: Exploits as a Service: How the Exploit Kit + Ransomware Tandem Affects a Company’s Bottom Line] 

Lord’s operators are reportedly fine-tuning the exploit kit actively, which means that its payloads, techniques, distribution tactics, and vulnerability exploits will change over time. 

Lord demonstrates how opportunistic exploit kits can be, rehashing old vulnerabilities, proofs of concept, and off-the-shelf malware to ultimately monetize the systems they affect. While exploit kits are no longer as prolific as they were, especially at the peak of their activities from the notorious Angler, their recent reemergence, as with Greenflash Sundown, means they are still a compelling threat. 

That they’re also given to taking advantage of old or known vulnerabilities means they can still bank on the window of exposure between the disclosure of a vulnerability and the release of its patch. The risk is higher for organizations whose systems still use Flash-based content, especially if these systems are needed in maintaining business operations and in storing and managing sensitive data. 

[Security 101: How Virtual Patching can Help Address Security Gaps in the Organization] 

Threats such as those brought by the Lord exploit kit can be thwarted and their effects mitigated through best practices. To that end, here are several security measures that users and businesses should follow:

  • Keep systems regularly patched and updated, or employ virtual patching to secure legacy or out-of-support systems that still use Flash-based content.
  • Enforce the principle of least privilege by restricting or disabling the use of outdated or unnecessary components in the system.
  • Actively monitor systems and networks for suspicious activities. For businesses, enabling firewalls and deploying intrusion detection and prevention systems help prevent threats that exploit vulnerabilities in the network level, while behavior monitoring and application control help prevent suspicious processes from being executed and unauthorized executables from running.

Trend Micro solutions

The Trend Micro™ OfficeScan™ solution with XGen™ endpoint security has Vulnerability Protection, which shields endpoints from identified and unknown vulnerability exploits before patches are even deployed. The Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security solutions protect end users and businesses from threats delivered by exploit kits, detecting and blocking malicious files and all related malicious URLs. 

The Trend Micro™ Deep Security™ and Trend Micro™ Vulnerability Protection solutions also provide virtual patching, which protects servers and endpoints from threats that abuse vulnerabilities in critical applications or websites. They protect user systems from any threats that may exploit CVE-2018-15982 via this DPI rule:

  • 1009405-Adobe Flash Player Use After Free Vulnerability (CVE-2018-15982)

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.