New Lord exploit kit exploits Flash Player vulnerability to push ERIS ransomware

• The exploit kit is believed to be a part of a malvertising campaign spread through the PopCash ad network.
• It was found to target a vulnerability in Flash Player in order to drop and execute ERIS ransomware in the machine.

A new exploit kit (EK) named ‘Lord’ was identified in a recent malvertising campaign. Spotted by security expert Adrian Luca, threat actors used the EK to drop and execute ERIS ransomware.

The EK looks for a specific vulnerability in Flash Player in order to execute the payloads. Furthermore, the Lord EK uses the Ngrok tunneling service for creating custom hostnames for the URLs it used.

The big picture

• In a blog, researchers from Malwarebytes highlight the details of the EK who found it to be part of a malvertising campaign run through PopCash ad network.
• It leveraged a compromised website to redirect visitors to a landing page. This page contains a function to check whether Flash Player is installed on compromised machines. It also collects information about the Flash Player version and other network-related details.
• The kit is known to exploit a use-after-free vulnerability (CVE-2018-15982) that exists in older versions of Flash Player which leads to arbitrary code execution.
• Earlier, it was noted that the threat actors deployed njRAT through the EK. However, they have now resorted to distributing ERIS ransomware from this kit.

Malware under active development

Malwarebytes researchers suggest that the threat actors behind Lord EK are making changes for more spread. “It is still too early to say whether this exploit kit will stick around and make a name for itself. However, it is clear that its author is actively tweaking it,” wrote the researchers.