C. Aliens 
Cybersecurity firm Malwarebytes has warned about a new exploit kit, named Lord, which is spreading ransomware via compromised websites.
Lord EK was first spotted on 1st August by Virus Bulletin’s security test engineer Adrian Luca, who concluded that this exploit kit was part of a malvertising chain (via the PopCash ad network), using a compromised site to redirect potential victims to a malicious landing page.
When Malwarebytes investigated Lord EK, it found that its landing page was rudimentary in design and showed a comment ” < !- Lord EK – Landing page ->” at the top left.
As soon as a victim arrives at the page, a function checks for the presence of the Flash Player installed on victim’s machine, as well as its version, which is eventually used to exploit CVE-2018-15982. The page also collects information about other network attributes of the system.
The exploit kit then exploits the vulnerability and also launches the shellcode to download and execute its payload.
According to researchers, they first noticed njRAT payload to be downloaded by Lord EK, but later it was observed to be downloading and executing ERIS ransomware. The threat actors behind Lord EK also used the ngrok service to create custom hostnames.
After the exploitation was completed, the Lord EK redirected the victim to the Google home page – a behaviour that security researchers have earlier noticed with Spelevo exploit kit.
Malwarebytes claims that users of its software are already protected against this attack. The company added that it has notified Ngrok about the abuse of its service.
Exploit kits are automated threats that use compromised websites to redirect web traffic to a page. They search for vulnerable browser-based apps that can be used to compromise a PC and run malware on victims’ machines. Such tools are designed to quietly and automatically exploit security flaws on victims’ systems as they browse the web.
In recent years, exploit kits have become highly popular among criminal groups for spreading remote access tools or malware on a mass scale.
In 2015, researchers at security firm Trustwave revealed details about a new version of the Rig Exploit Kit that claimed more than 1.25 million victims worldwide using Adobe Flash security flaws.
Just last week, researchers at Proofpoint said that they have identified a new proxy malware programme, dubbed SystemBC, which is being distributed through Fallout and RIG exploit kits.
The researchers said that they believed the operators of Maze ransomware and DanaBot banking Trojan likely used exploit kits to infect hosts and then used proxy capabilities of SystemBC to hide malicious traffic.
