A new kit for web-based attacks calling itself Lord EK has been spotted at the beginning of the month as part of a malvertising chain that uses the PopCash ad network.
The exploit kit (EK) leverages a use-after-free vulnerability in Adobe Flash and relies on the ngrok service that can set up a secure connection to expose to the internet local servers behind NATs and firewalls.
Work in progress
Discovered by Virus Bulletin researcher Adrian Luca at a time when it was still under development, Lord EK was named so because of a landing page that carried this tag.
The kit's initial payload was njRAT, an old remote access trojan with early variants traced to November 2012 and preferred by Nigerian scammers running business email compromise (BEC) attacks.
A researcher noticed that Lord EK then switched to version 2.0.3 of ERIS, a piece of ransomware delivered in the past by other exploit kits such as RIG and Azera.
According to research from Jérôme Segura of Malwarebytes, the kit uses a compromised website for redirecting to a landing page and it is part of a malvertising chain that uses the PopCash ad network.
The exploit is pushed by a function that first checks for the presence of Flash Player and its version. The second part of the code in the landin ..
Support the originator by clicking the read the rest link below.
