Exploit Kits (EK’s) have been around for at least the past decade, and every time one gets taken down, it’s only a matter of time before a new, more sophisticated one pops up on the Dark Web. Now there’s a new kid on the block named “Disdain.”
What is an EK?
For the uninitiated, an EK is a software kit that abuses known vulnerabilities found in the victim’s browser or browser add-ons. It is hosted on a remote server, to which traffic is passively diverted by the attacker. When a victim contacts the malicious server, the kit scans the browser to find exploitable vulnerabilities, and then abuses them to deliver a malware. EK’s are one of the most common methods used by hackers to deliver malware on a large scale because they are stealthy and deceptive in their simplicity. They can be delivered by a rogue individual, a group of people, or even a country looking to disrupt business and another government.
While 2016 and the first half of 2017 saw a decline in EK use (because popular EK networks such as Angler were taken down), the last few weeks have seen an increase, with TrendMicro reporting the use of a new EK called ‘Sundown Pirate’ by malware advertisers, as well as the resurgence of an old EK called Estrum in a wave of new attacks. There has also been a resurgence of ads on the deep and dark webs offering even more EKs. Upon purchase, the buyer would receive access to a server where the kit is hosted, along with constant support throughout an agreed-upon time period.
‘Disdain’, the Latest EK
IntSights has discovered a new EK on the Russian underground entitled Disdain. Offered for sale by a threat actor named ‘Cehceny’, its advertised features include:
*RSA Key exchange for Exploits
*Panel server is untraceable from Payload server
*Browser & IP tracking
The screenshot above shows that the majority of the malware’s victims are in South America, India, China and Western Europe.
Disdain currently exploits the following vulnerabilities:
cve-2017-5375 - FF
cve-2017-3823 - Extension (Cisco Web Ex)
cve-2017-0037 - IE a
cve-2016-9078 - FF
cve-2016-7200 - EDGE + IE a
cve-2016-4117 - FLASH
cve-2016-1019 - FLASH
cve-2016-0189 - IE
cve-2015-5119 - FLASH
cve-2015-2419 - IE
cve-2014-8636 - FF
cve-2014-6332 - IE
cve-2014-1510 - FF
cve-2013-2551 - IE
cve-2013-1710 - FF
Is Nebula back ?
Another ad circulating in messaging applications might indicate the comeback of a different EK that went missing earlier this week - Nebula.
The following statistics were allegedly taken from the EK’s administrator panel:
Based on these statistics, it appears that the majority of the EK’s victims are French. Interestingly, Nebula is going for a higher asking price than Disdain:
Price table: (in USD)
What Can Be Done?
IntSights highly recommends making sure that the browsers used in your organization are all updated to reflect their most recent versions. In addition, consider disabling the use of unnecessary extensions on the browsers used by employees. While this may not be a failsafe, it will go a long way toward protecting your organization’s browsers and end users, especially as EK’s seem to be back on the rise.