Lord Exploit Kit

Lord is an exploit kit associated with the older Spelevo kit. Whilst its authors claim it is still in active development, Lord appears to be for sale via dark web forums and has been used in several campaigns.

Lord uses malicious adverts hosted by the PopCash malvertising network to direct users to its landing pages. When a user reaches one of these pages, Lord will execute a script to check for the presence of Adobe Flash Player and determine its version.

A secondary script will collect this information along with network attributes. Lord will then deploy a publicly known Flash Player exploit before downloading and executing the payload on the affected system. At the time of publication, Lord has delivered the njRAT remote access trojan and the Eris ransomware tool, although it is highly likely that other payloads will be seen in future campaigns.

There is a function that checks for the presence and version of the Flash Player, which will ultimately be used to push CVE-2018-15982.

Indicators of Compromise

Compromised site

liader[.]com[.]ua

Network fingerprinting

extreme-ip-lookup[.]com

Lord EK URI patterns

hxxp[://]7b2cdd48[.]ngrok[.]io/?JBgMXVVbOf9zqgsoOAv5oF3ppFp2d3SK3oQcSU5r4nLSKSDr6Rc377BW5uCV7gCg
hxxp[://]7b2cdd48[.]ngrok[.]io/?bMa7lkcmRJcUVUwJi3[.]swf
hxxp[://]kqocwd6rlzckogdygmbuwq3yctxvcfatkarq5ncpscrcvixad2hxftad[.]onion[.]pet/Server[.]exe
hxxp[://]57189bbb[.]ngrok[.]io/?SRwylMaPXwikMSTUvhoedUFFZ2QTOKTnF387C5uFPuKiqGiiHLCK8iGuB62l4xXC
hxxp[://]57189bbb[.]ngrok[.]io/?rAADEzS60R6ZFE7gCcplytGI0h[.]swf
hxxp[://]81[.]171[.]31[.]247:4567/Server[.]exe

njRAT

26107d42e0d8684f4250628d438fb0869132faa298648feec17b25e5db9a8c3b

Eris ransomware

8c1aaf20e55a5c56498707e11b27d0d8d56dba71b22b77b9a53c34936474441a