There’s a new player in the exploit kit landscape. Dubbed Lord, this new exploit kit was initially seen delivering the njRAT malware (detected by Trend Micro as Backdoor.MSIL.BLADABINDI.IND) before distributing the Eris ransomware (Ransom.Win32.ERIS.C).
NjRAT is a known information stealer and backdoor whose capabilities are constantly reworked or updated, given how it’s readily shared in the cybercriminal underground. The Eris ransomware, meanwhile, was first seen in May being distributed through a malvertising campaign that employed the Rig exploit kit.
Lord first checks if the affected system has Adobe Flash Player. If the machine has the software installed, Lord will attempt to use an exploit (Trojan.SWF.CVE201815982.AE) that takes advantage of CVE-2018-15982, a vulnerability in Adobe Flash, to deliver its payload. The vulnerability, patched in December 2018, is also exploited by the Spelevo and Greenflash Sundown exploit kits, the latter of which was recently used by the ShadowGate campaign to spread cryptocurrency-mining malware. As noted in a Trend Micro research on threat hunting via social media, the same vulnerability was involved in an attack that targeted a healthcare organization in Russia.
Lord was first uncovered by a Virus Bulletin researcher, Adrian Luca, in attack chains that employed malvertising, or the use of malicious or hijacked advertisements to spread malware, on the PopCash ad network. The malvertising component used a compromised site to divert unwitting users into a landing page hosting the exploit kit.
Further analysis by researchers at Malwarebytes noted Lord’s use of ngrok, a service that enables developers to expose their local servers to the internet when testing their applications or websites, to easily generate randomized subdomains. Seldom seen in other exploit kits, this can enable Lord’s operators to simply replace subdomains once they’ve been detected or blocked.
Also of note is Lord’s redirection of the webpage to Google’s home page after the payload is delivered. Also done by Spelevo, this action can deceive an unwitting user into thinking that nothing is amiss.
Lord’s operators are reportedly fine-tuning the exploit kit actively, which means that its payloads, techniques, distribution tactics, and vulnerability exploits will change over time.
Lord demonstrates how opportunistic exploit kits can be, rehashing old vulnerabilities, proofs of concept, and off-the-shelf malware to ultimately monetize the systems they affect. While exploit kits are no longer as prolific as they were, especially at the peak of their activities from the notorious Angler, their recent reemergence, as with Greenflash Sundown, means they are still a compelling threat.
That they’re also given to taking advantage of old or known vulnerabilities means they can still bank on the window of exposure between the disclosure of a vulnerability and the release of its patch. The risk is higher for organizations whose systems still use Flash-based content, especially if these systems are needed in maintaining business operations and in storing and managing sensitive data.
Threats such as those brought by the Lord exploit kit can be thwarted and their effects mitigated through best practices. To that end, here are several security measures that users and businesses should follow:
Keep systems regularly patched and updated, or employ virtual patching to secure legacy or out-of-support systems that still use Flash-based content.
Enforce the principle of least privilege by restricting or disabling the use of outdated or unnecessary components in the system.