Lord is an exploit kit associated with the older Spelevo kit. Whilst its authors claim it is still in active development, Lord appears to be for sale via dark web forums and has been used in several campaigns.
Lord uses malicious adverts hosted by the PopCash malvertising network to direct users to its landing pages. When a user reaches one of these pages, Lord will execute a script to check for the presence of Adobe Flash Player and determine its version.
A secondary script will collect this information along with network attributes. Lord will then deploy a publicly known Flash Player exploit before downloading and executing the payload on the affected system. At the time of publication, Lord has delivered the njRAT remote access trojan and the Eris ransomware tool, although it is highly likely that other payloads will be seen in future campaigns.
There is a function that checks for the presence and version of the Flash Player, which will ultimately be used to push CVE-2018-15982.
Indicators of Compromise
Lord EK URI patterns
UK based technology professional, with an interest in computer security and telecoms.