IntSights' Blog

New ‘Disdain’ Exploit Kit May Signal Reemergence of the Popular Hacker Tool

by Noga / August 11, 2017

Exploit Kits (EK’s) have been around for at least the past decade, and every time one gets taken down, it’s only a matter of time before a new, more sophisticated one pops up on the Dark Web. Now there’s a new kid on the block named “Disdain.”

What is an EK?

For the uninitiated, an EK is a software kit that abuses known vulnerabilities found in the victim’s browser or browser add-ons. It is hosted on a remote server, to which traffic is passively diverted by the attacker. When a victim contacts the malicious server, the kit scans the browser to find exploitable vulnerabilities, and then abuses them to deliver a malware. EK’s are one of the most common methods used by hackers to deliver malware on a large scale because they are stealthy and deceptive in their simplicity. They can be delivered by a rogue individual, a group of people, or even a country looking to disrupt business and another government.

While 2016 and the first half of 2017 saw a decline in EK use (because popular EK networks such as Angler were taken down), the last few weeks have seen an increase, with TrendMicro reporting the use of a new EK called ‘Sundown Pirate’ by malware advertisers, as well as the resurgence of an old EK called Estrum in a wave of new attacks. There has also been a resurgence of ads on the deep and dark webs offering even more EKs. Upon purchase, the buyer would receive access to a server where the kit is hosted, along with constant support throughout an agreed-upon time period.


‘Disdain’, the Latest EK

IntSights has discovered a new EK on the Russian underground entitled Disdain.  Offered for sale by a threat actor named ‘Cehceny’, its advertised features include:

*Domain Rotator

*RSA Key exchange for Exploits

*Panel server is untraceable from Payload server

*Geolocation available

*Browser & IP tracking

*Scan domain


The screenshot above shows that the majority of the malware’s victims are in South America, India, China and Western Europe.

Disdain currently exploits the following vulnerabilities:

cve-2017-5375 - FF

cve-2017-3823 - Extension (Cisco Web Ex)

cve-2017-0037 - IE a

cve-2016-9078 - FF

cve-2016-7200 - EDGE + IE a

cve-2016-4117 - FLASH

cve-2016-1019 - FLASH

cve-2016-0189 - IE

cve-2015-5119 - FLASH

cve-2015-2419 - IE

cve-2014-8636 - FF

cve-2014-6332 - IE

cve-2014-1510 - FF

cve-2013-2551 - IE

cve-2013-1710 - FF


Is Nebula back ?

Another ad circulating in messaging applications might indicate the comeback of a different EK that went missing earlier this week - Nebula.

The following statistics were allegedly taken from the EK’s administrator panel:









Based on these statistics, it appears that the majority of the EK’s victims are French.  Interestingly, Nebula is going for a higher asking price than Disdain:

Price table: (in USD)

  Disdain Nebula
Per Day 80 100
Per Week 500 600
Per Month 1400 2000


What Can Be Done?

IntSights highly recommends making sure that the browsers used in your organization are all updated to reflect their most recent versions. In addition, consider disabling the use of unnecessary extensions on the browsers used by employees. While this may not be a failsafe, it will go a long way toward protecting your organization’s browsers and end users, especially as EK’s seem to be back on the rise.

Tags: Cyber Cybersecurity Dark Web Cyber Intelligence

previous post The black market for black markets-Cybercrime goes PaaS
Next Post Winter is Coming...For HBO and the Media Industry