Text Example

NEW Flash Exploiting Lord EK Exploit Kit Found in the Wild PCAP Download Traffic Sample Analysis

Download Attachments

A newly identified exploit kit is targeting vulnerable versions of Adobe’s Flash Player, Malwarebytes security researchers say.

Dubbed “Lord,” the exploit kit (EK) was initially identified by Virus Bulletin‘s Adrian Luca. The toolkit emerged as part of a malvertising chain via the PopCash ad network.

The EK uses a compromised website to redirect unsuspecting victims to its landing page. Initially, the portal was rather rudimentary and in clear text, but the toolkit operators quickly moved to obfuscate it. 

The landing page has a function to check for the presence of Flash Player, in an attempt to exploit the CVE-2018-15982 vulnerability.  One thing that sets the Lord EK apart from other toolkits is the use of the ngrok service to craft custom hostnames, which resulted in rather unusual URLs.  Source : https://www.securityweek.com/new-lord-exploit-kit-emerges

2019-08-01 13:19:06.834029 IP 10.8.1.102.65094 > 10.8.1.1.53: 46499+ A? 7b2cdd48.ngrok.io. (35)
E..?.s….#.
..f
….F.5.+……………7b2cdd48.ngrok.io…..
2019-08-01 13:19:06.891928 IP 10.8.1.1.53 > 10.8.1.102.65094: 46499 1/0/0 A 3.17.202.129 (51)
E..O!……U

..f.5.F.;……………7b2cdd48.ngrok.io…………………
2019-08-01 13:19:06.892846 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [S], seq 3866516344, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.t@…!P
..f…….P.v[x…… .s……………
2019-08-01 13:19:06.940656 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [S.], seq 2902076389, ack 3866516345, win 64240, options [mss 1460], length 0
E..,!…..?…..
..f.P….+..v[y`………..
2019-08-01 13:19:06.940887 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [.], ack 1, win 64240, length 0
E..(.w@…!Y
..f…….P.v[y..+.P…….
2019-08-01 13:19:06.941145 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [P.], seq 1:326, ack 1, win 64240, length 325: HTTP: GET /?GHRYb1AYhUQ7CY1Z3sfJHfdgiXnfmlZgiC2g7pV52z6UG8W3Lq4k0vs0ZIdzxVuY HTTP/1.1
E..m.x@… .
..f…….P.v[y..+.P…….GET /?GHRYb1AYhUQ7CY1Z3sfJHfdgiXnfmlZgiC2g7pV52z6UG8W3Lq4k0vs0ZIdzxVuY HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: 7b2cdd48.ngrok.io

2019-08-01 13:19:06.941243 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [.], ack 326, win 64240, length 0
E..(!…..?…..
..f.P….+..v.P….t..
2019-08-01 13:19:07.100312 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [.], seq 1:1461, ack 326, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E…!…..:E….
..f.P….+..v.P….-..HTTP/1.1 200 OK
Date: Thu, 01 Aug 2019 17:19:06 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked

4e91



Leave a Reply