Lord Exploit Kit delivers Eris ransomware

Lord Exploit Kit discovered by @adrian__luca on 2019-08-01 and shared with the security community.  Thank you Adrian and nice find!

This exploit appears to be exploiting “Windows VBScript Engine Remote Code Execution Vulnerability” reported in CVE-2018-8174

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2019-08-02-lordek.pcap.zip

ASSOCIATED DOMAINS:

77.87.193.106 – liader.com.ua – Redirect to Exploit Kit
18.223.41.243 – a9c44f30.ngrok.io – Lord Exploit Kit
3.121.224.43 – extreme-ip-lookup.com – IP address check
81.171.31.247 port 4567 – GET /Server.exe – Eris Ransomware
evilnnwzczbcbi4edpi4tx3khwbnty3obfhemd5i5gbyci3hxx3k5pad.onion.pet – POST /api/v1/check – Eris ransomware check-in
evilnnwzczbcbi4edpi4tx3khwbnty3obfhemd5i5gbyci3hxx3k5pad.onion.pet – POST /api/v1/sync – Eris ransomware check-in

INTERESTING PROCESSES:

ParentImage C:\Users\Ted\Desktop\rund11.exe
Image C:\Windows\System32\cmd.exe
CommandLine cmd.exe /C taskkill.exe /f /im mysqld.exe

ParentImage C:\Windows\System32\cmd.exe
Image C:\Windows\System32\taskkill.exe
CommandLine taskkill.exe /f /im mysqld.exe

ParentImage C:\Windows\System32\cmd.exe
Image C:\Windows\System32\taskkill.exe
CommandLine taskkill.exe /f /im sqlwriter.exe

Image C:\Windows\System32\vssadmin.exe
CommandLine vssadmin delete shadows /all /quiet

ParentImage C:\Windows\System32\cmd.exe
Image C:\Windows\System32\wbem\WMIC.exe
CommandLine wmic shadowcopy delete

ParentImage C:\Windows\System32\cmd.exe
Image C:\Windows\System32\wbadmin.exe
CommandLine wbadmin delete catalog -quiet

 

IMAGES AND DETAILS:


Shown above: Network traffic associated with Lord EK and Eris ransomware infection

 


Shown above: Website used to redirect to the Lord EK hosted at a9c44f30.ngrok.io

 


Shown above: Eris ransomware payload downloaded after Lord Exploit

 


Shown above: Eris ransomware check-in after encrypting files on host

 


Shown above: Eris ransom note directing user to .onion domain

 

MALICIOUS PAYLOAD ASSOCIATED WITH LORD EK:

rund11.exe – Eris ransomware
SHA-256:
8c1aaf20e55a5c56498707e11b27d0d8d56dba71b22b77b9a53c34936474441a
VirusTotal Link