New Disdain Exploit Kit Detected in the Wild

By Chaoying Liu and Joseph C. Chen

The exploit kit landscape has been rocky since 2016, and we’ve observed several of the major players—Angler, Nuclear, Neutrino, Sundown—take a dip in operations or go private. New kits have popped up sporadically since then, sometimes revamped from old sources, but none have really gained traction. Despite that fact, cybercriminals continue to develop more of them.

On August 9, we detected a new exploit kit in the wild, being distributed through a malvertising campaign. With additional analysis of the code and activity, we can confirm that it is the Disdain exploit kit, which started to advertise their services in underground forums starting August 8. We found the “disdain” keyword contained in its JavaScript code.

We detected two different malvertising groups trying to use the new exploit service to deliver malware. One of the groups we were monitoring used Disdain to deliver the Smoke Loader Trojan (detected by Trend Micro as TROJ_SHARIK.VDA), which would then install a cryptocurrency miner.

Activity and analysis of Disdain

While we were tracking the exploit kit, we noted erratic activity that dipped on August 11 before quickly spiking on August 12. The activity dropped again after that. So far, since it is the early stages of the kit, detections have been minimal.

Disdain shares the same URL pattern as the Terror exploit kit, which is not the first time a new kit has borrowed from Terror. However, its JavaScript obfuscation style is similar to the Nebula exploit kit. The kit relies on older exploits (one is from 2013) as well as newer exploits, though all have been patched.

Figure 1. Keyword “disdain” contained in the exploit kit, seen delivering Smoke Loader

It seems that even in the underground, advertisements promise more than what the product can deliver. In their post on an underground forum, the developers listed 17 different CVEs that the kit currently exploits, but we observed only five:

  • CVE-2013-2551, patched in May 2013
  • CVE-2015-2419, patched in July 2015
  • CVE-2016-0189, patched in May 2016
  • CVE-2017-0037, patched in March 2017
  • CVE-2017-0059, patched in March 2017

It’s worth noting that the exploit kit combines CVE-2017-0059 and CVE-2017-0037 (the youngest CVEs) to exploit the IE browser. These exploits were first found in the wild: CVE-2017-0059 is an information disclosure vulnerability in IE that was patched on March 2017. With this CVE, the attacker gets the base address of propsys.dll and then evades Address Space Layout Randomization (ASLR), which is used to prevent exploitation of memory corruption vulnerabilities. CVE-2017-0037 is a type corruption vulnerability in IE and Edge, and the attacker uses it to execute shellcode. Used in tandem, these vulnerabilities would allow the attacker to execute arbitrary code on a compromised device.

However, the related malicious code can’t actually exploit anything because of certain faults by the developer.

Figure 2. Code fragment of CVE-2017-0059Figure 3. Code fragment of CVE-2017-0037

Solutions and recommendations

All the listed CVEs that Disdain exploits have been patched, some even years before the kit was detected. This only emphasizes the need for timely patching—enterprises and users alike should prioritize critical patches and be diligent in protecting their system from preventable compromises.

Aside from patching, a multilayered approach to security is also necessary to defend against complex threats. A comprehensive solution covers all flanks—from the gateway, endpoints, networks, and servers. Trend Micro™ OfficeScan™ with XGen™ endpoint security has Vulnerability Protection that shields endpoints from identified and unknown vulnerability exploits even before patches are even deployed. Trend Micro’s endpoint solutions such as Trend MicroSmart Protection Suites, and Worry-FreeBusiness Security protect end users and businesses from these threats by detecting and blocking malicious files and all related malicious URLs.

Hat tip to ProofPoint’s kafeine whom we worked with on this research.

Indicators of Compromise

www[.]hidretds[.]com Malvertising domain
campngay11[.]ml Malvertising domain
campngay11[.]gq Malvertising domain
campngay12[.]gq Malvertising domain
94[.]102[.]60[.]156 Disdain exploit kit IP address
a11t01t22t10[.]ru Smoke Loader C&C domain
789e26249acaa412d1ea58fff45927d722ab4badb69c0c90ad0efc9cc0541d3e Smoke Loader
9fdbcc58d935baebf473c4ab30c47df9d91414423e2fa5dc3b38c7757f175bd1 Cryptocurrency miner

 

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New Disdain Exploit Kit Detected in the Wild

Read more: New Disdain Exploit Kit Detected in the Wild

Story added 17. August 2017, content source with full text you can find at link above.