{"id":15981,"date":"2019-08-02T11:10:08","date_gmt":"2019-08-02T19:10:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/08\/02\/news-9725\/"},"modified":"2019-08-02T11:10:08","modified_gmt":"2019-08-02T19:10:08","slug":"news-9725","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/08\/02\/news-9725\/","title":{"rendered":"Say hello to Lord Exploit Kit"},"content":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Fri, 02 Aug 2019 18:15:24 +0000<\/strong><\/p>\n<p>Just as we had wrapped up our <a rel=\"noreferrer noopener\" aria-label=\"summer review of exploit kits (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/07\/exploit-kits-summer-2019-review\/\" target=\"_blank\">summer review of exploit kits<\/a>, a new player entered the scene. Lord EK, as it is calling itself, was caught by <a href=\"https:\/\/www.virusbulletin.com\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Virus Bulletin (opens in a new tab)\">Virus Bulletin<\/a>&#8216;s <a rel=\"noreferrer noopener\" aria-label=\"Adrian Luca (opens in a new tab)\" href=\"https:\/\/twitter.com\/adrian__luca\" target=\"_blank\">Adrian Luca<\/a> while replaying malvertising chains.<\/p>\n<p>In this blog post, we do a quick review of this exploit kit based on what we have collected so far. Malwarebytes users were <a rel=\"noreferrer noopener\" aria-label=\"already protected (opens in a new tab)\" href=\"https:\/\/twitter.com\/jeromesegura\/status\/1156972737685934081?s=20\" target=\"_blank\">already protected<\/a> against this attack. <\/p>\n<h3>Exploit kit or not?<\/h3>\n<p>Lately there has been a trend of what we call pseudo-exploit kits, where a threat actor essentially grabs a proof of concept for an Internet Explorer or Flash Player vulnerability and crafts a very basic page to load it. It is probably more accurate to describe these as drive-by download attacks, rather than exploit kits.<\/p>\n<p>With an exploit kit we expect to see certain feature sets that include:<\/p>\n<ul>\n<li>a landing page that fingerprints the machine to identify client side vulnerabilities<\/li>\n<li>dynamic URI patterns and domain name rotation<\/li>\n<li>one or more exploits for the browser or one of its plugins<\/li>\n<li> logging of the victim&#8217;s IP address<\/li>\n<li>a payload that may change over time and that may be geo-specific<\/li>\n<\/ul>\n<h3>Quick glance at Lord EK<\/h3>\n<p>The first <a rel=\"noreferrer noopener\" aria-label=\"tweet (opens in a new tab)\" href=\"https:\/\/twitter.com\/adrian__luca\/status\/1156934215566536705\" target=\"_blank\">tweet<\/a> from <a href=\"https:\/\/twitter.com\/adrian__luca\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"@adrian__luca (opens in a new tab)\">@adrian__luca<\/a> about Lord EK came out in the morning of August 1st and shows interesting elements. It is part of a malvertising chain via the PopCash ad network and uses a compromised site to redirect to a landing page.<\/p>\n<p>We can see a very rudimentary landing page in clear text with a comment at the top left by its author that says: <em>&lt;!&#8211; Lord EK &#8211; Landing page &#8211;&gt;<\/em>. By the time we checked it, it had been obfuscated but remained essentially the same.<\/p>\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/landing.png\" data-rel=\"lightbox-0\" title=\"\"><img decoding=\"async\" data-attachment-id=\"39810\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/08\/say-hello-to-lord-exploit-kit\/attachment\/landing-19\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/landing.png\" data-orig-size=\"863,750\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"landing\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/landing-300x261.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/landing-600x521.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/landing.png\" alt=\"\" class=\"wp-image-39810\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/landing.png 863w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/landing-300x261.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/landing-600x521.png 600w\" sizes=\"(max-width: 863px) 100vw, 863px\" \/><\/a><\/figure>\n<p>There is a function that checks for the presence and version of the Flash Player, which will ultimately be used to push CVE-2018-15982. The second part of the landing page collects information that includes the Flash version and other network attributes about the victim.<\/p>\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/geo.png\" data-rel=\"lightbox-1\" title=\"\"><img decoding=\"async\" data-attachment-id=\"39811\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/08\/say-hello-to-lord-exploit-kit\/attachment\/geo-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/geo.png\" data-orig-size=\"638,313\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"geo\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/geo-300x147.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/geo-600x294.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/geo.png\" alt=\"\" class=\"wp-image-39811\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/geo.png 638w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/geo-300x147.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/geo-600x294.png 600w\" sizes=\"(max-width: 638px) 100vw, 638px\" \/><\/a><\/figure>\n<h3>Interesting URI patterns<\/h3>\n<p>One thing we immediately noticed was how the exploit kit&#8217;s URLs were unusual. We see the threat actor is using the <a rel=\"noreferrer noopener\" aria-label=\"ngrok (opens in a new tab)\" href=\"https:\/\/ngrok.com\/\" target=\"_blank\">ngrok<\/a> service to craft custom hostnames (we informed ngrok of this abuse of their service by filing a report).<\/p>\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/patterns.png\" data-rel=\"lightbox-2\" title=\"\"><img decoding=\"async\" data-attachment-id=\"39814\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/08\/say-hello-to-lord-exploit-kit\/attachment\/patterns\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/patterns.png\" data-orig-size=\"966,220\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"patterns\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/patterns-300x68.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/patterns-600x137.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/patterns.png\" alt=\"\" class=\"wp-image-39814\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/patterns.png 966w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/patterns-300x68.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/patterns-600x137.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/patterns-965x220.png 965w\" sizes=\"(max-width: 966px) 100vw, 966px\" \/><\/a><\/figure>\n<p>This is rather unusual at least from what we have observed with exploit kits in recent history. As per ngrok&#8217;s documentation, it exposes a local server to the public internet. The free version of ngrok generates randoms subomains which is almost perfect (and reminds us of <a href=\"https:\/\/blogs.cisco.com\/security\/talos\/angler-domain-shadowing\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Domain Shadowing (opens in a new tab)\">Domain Shadowing<\/a>) for the exploit kit author.<\/p>\n<h3>Flash exploit and payload<\/h3>\n<p>At the time of writing, Lord EK only goes for Flash Player, and not Internet Explorer vulnerabilities. <a rel=\"noreferrer noopener\" aria-label=\"Nao_Sec (opens in a new tab)\" href=\"https:\/\/twitter.com\/nao_sec\" target=\"_blank\">Nao_Sec<\/a> quickly studied the exploit and <a rel=\"noreferrer noopener\" aria-label=\"pointed out (opens in a new tab)\" href=\"https:\/\/twitter.com\/nao_sec\/status\/1156971646533529600\" target=\"_blank\">pointed out<\/a> it is targeting <a rel=\"noreferrer noopener\" aria-label=\"CVE-2018-15982 (opens in a new tab)\" href=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2018\/12\/new-flash-player-zero-day-used-russian-facility\/\" target=\"_blank\">CVE-2018-15982<\/a>.<\/p>\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/flash_.png\" data-rel=\"lightbox-3\" title=\"\"><img decoding=\"async\" data-attachment-id=\"39815\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/08\/say-hello-to-lord-exploit-kit\/attachment\/flash_-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/flash_.png\" data-orig-size=\"786,410\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"flash_\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/flash_-300x156.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/flash_-600x313.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/flash_.png\" alt=\"\" class=\"wp-image-39815\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/flash_.png 786w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/flash_-300x156.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/flash_-600x313.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/flash_-630x330.png 630w\" sizes=\"(max-width: 786px) 100vw, 786px\" \/><\/a><\/figure>\n<p>After exploiting the vulnerability, it launches shellcode to download and execute its payload:<\/p>\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/binarydata.png\" data-rel=\"lightbox-4\" title=\"\"><img decoding=\"async\" data-attachment-id=\"39816\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/08\/say-hello-to-lord-exploit-kit\/attachment\/binarydata\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/binarydata.png\" data-orig-size=\"745,462\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"binarydata\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/binarydata-300x186.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/binarydata-600x372.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/binarydata.png\" alt=\"\" class=\"wp-image-39816\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/binarydata.png 745w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/binarydata-300x186.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/binarydata-600x372.png 600w\" sizes=\"(max-width: 745px) 100vw, 745px\" \/><\/a><\/figure>\n<p>The initial payload was njRAT, however the threat actors switched it the next day for the ERIS ransomware, as spotted by <a rel=\"noreferrer noopener\" aria-label=\"@tkanalyst (opens in a new tab)\" href=\"https:\/\/twitter.com\/tkanalyst\/status\/1157296738446614531\" target=\"_blank\">@tkanalyst<\/a>.<\/p>\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/Eris.png\" data-rel=\"lightbox-5\" title=\"\"><img decoding=\"async\" data-attachment-id=\"39818\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/08\/say-hello-to-lord-exploit-kit\/attachment\/eris\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/Eris.png\" data-orig-size=\"1125,829\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Eris\" data-image-description=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/Eris-300x221.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/Eris-600x442.png\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/Eris.png\" alt=\"\" class=\"wp-image-39818\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/Eris.png 1125w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/Eris-300x221.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/08\/Eris-600x442.png 600w\" sizes=\"(max-width: 1125px) 100vw, 1125px\" \/><\/a><\/figure>\n<p>We also noticed another change where after exploitation happens, the exploit kit redirects the victim to the Google home page. This is a behavior that was previously  <a rel=\"noreferrer noopener\" aria-label=\"noted (opens in a new tab)\" href=\"https:\/\/blog.talosintelligence.com\/2019\/06\/spelevo-exploit-kit.html\" target=\"_blank\">noted<\/a> with the Spelevo exploit kit.<\/p>\n<h3>Under active development<\/h3>\n<p>It is still too early to say whether this exploit kit will stick around and make a name for itself. However, it is clear that its author is actively tweaking it.<\/p>\n<p>This comes at a time when exploit kits are full of surprises and gaining some attention back among the researchers community. Even though the vulnerabilities for Internet Explorer and Flash Player have been patched and both have a very small market share, usage of the old Microsoft browser still continues in many countries.<\/p>\n<p><a rel=\"noreferrer noopener\" aria-label=\"Brad Duncan (opens in a new tab)\" href=\"https:\/\/twitter.com\/malware_traffic\" target=\"_blank\">Brad Duncan<\/a> from <a rel=\"noreferrer noopener\" aria-label=\"Malware Traffic Analysis (opens in a new tab)\" href=\"https:\/\/malware-traffic-analysis.net\/\" target=\"_blank\">Malware Traffic Analysis<\/a> has posted some traffic captures for those interested in studying this exploit kit.<\/p>\n<h3>Indicators of Compromise<\/h3>\n<p><strong>Compromised site<\/strong><\/p>\n<p>liader[.]com[.]ua<\/p>\n<p><strong>Network fingerprinting<\/strong><\/p>\n<p>extreme-ip-lookup[.]com<\/p>\n<p><strong>Lord EK URI patterns<\/strong><\/p>\n<p>hxxp[:\/\/]7b2cdd48[.]ngrok[.]io\/?JBgMXVVbOf9zqgsoOAv5oF3ppFp2d3SK3oQcSU5r4nLSKSDr6Rc377BW5uCV7gCg<br \/>hxxp[:\/\/]7b2cdd48[.]ngrok[.]io\/?bMa7lkcmRJcUVUwJi3[.]swf<br \/>hxxp[:\/\/]kqocwd6rlzckogdygmbuwq3yctxvcfatkarq5ncpscrcvixad2hxftad[.]onion[.]pet\/Server[.]exe<br \/>hxxp[:\/\/]57189bbb[.]ngrok[.]io\/?SRwylMaPXwikMSTUvhoedUFFZ2QTOKTnF387C5uFPuKiqGiiHLCK8iGuB62l4xXC<br \/>hxxp[:\/\/]57189bbb[.]ngrok[.]io\/?rAADEzS60R6ZFE7gCcplytGI0h[.]swf<br \/>hxxp[:\/\/]81[.]171[.]31[.]247:4567\/Server[.]exe<\/p>\n<p><strong>njRAT<\/strong><\/p>\n<p>26107d42e0d8684f4250628d438fb0869132faa298648feec17b25e5db9a8c3b<\/p>\n<p><strong>Eris ransomware<\/strong><\/p>\n<p>8c1aaf20e55a5c56498707e11b27d0d8d56dba71b22b77b9a53c34936474441a<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/08\/say-hello-to-lord-exploit-kit\/\">Say hello to Lord Exploit Kit<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/08\/say-hello-to-lord-exploit-kit\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Fri, 02 Aug 2019 18:15:24 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/08\/say-hello-to-lord-exploit-kit\/' title='Say hello to Lord Exploit Kit'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/08\/cybercrime.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>In this blog, we take a look at a new exploit kit distributed via malvertising that calls itself Lord EK.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/exploits-threat-analysis\/\" rel=\"category tag\">Exploits<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/ek\/\" rel=\"tag\">EK<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/eris\/\" rel=\"tag\">eris<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/exploit-kit\/\" rel=\"tag\">exploit kit<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/lord-ek\/\" rel=\"tag\">Lord EK<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malvertising\/\" rel=\"tag\">malvertising<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/njrat\/\" rel=\"tag\">njRAT<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransomware\/\" rel=\"tag\">ransomware<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/08\/say-hello-to-lord-exploit-kit\/' title='Say hello to Lord Exploit Kit'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2019\/08\/say-hello-to-lord-exploit-kit\/\">Say hello to Lord Exploit Kit<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10527,22567,10534,10987,22568,10531,22569,3765,10494],"class_list":["post-15981","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-ek","tag-eris","tag-exploit-kit","tag-exploits","tag-lord-ek","tag-malvertising","tag-njrat","tag-ransomware","tag-threat-analysis"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15981","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15981"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15981\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15981"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15981"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15981"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}