A new exploit kit (EK) named “Disdain” has been observed in the wild. The EK targets Windows vulnerabilities. Initially the presence of this EK was found in underground forums as an ad and was brought to light on twitter by @CryptoInsane. The EK can be rented for as low as 80$. Disdain claims to exploit over 15 CVEs. All of which have been fixed by vendors and their official patches have already been released. Currently the EK appears to target only 5 CVEs. This discovery was made by TrendMicro along with with Proofpoint.
CVE | Target Component | Fix | QID(s) |
CVE-2013-2551 | JScript9 | MS13-037 | 100147 |
CVE-2015-2419 | JScript9 | MS15-065 | 100244 |
CVE-2016-0189 | JScript and VBScript engines | MS16-053, MS16-051 | 91220 ,100284 |
CVE-2017-0037 | Type confusion in mshtml.dll | MS17-006(IE),MS17-007(MS Edge) | 91333, 91332 |
CVE-2017-0059 | Use-after-free bug in IE | MS17-006(IE) | 91333 |
It is important to note that the code targeting CVE-2017-0059 and CVE-2017-0037 appears to be ineffective. We need to collect more samples of the code for analysis. The sample observed by TrendMicro delivers Smoker Loader, it is a small application that downloads other additional malware onto the target machine. In this case it installs a cryptocurrency miner.
CVE-2017-0059 & CVE-2017-0037:
A PoC combining both these vulnerabilities was released by @redr2e. The exploit uses CVE-2017-0059 to leak the base address of propsys.dll and uses CVE-2017-0037 to execute shellcode by executing a pre-built ROP chain using propsys.dll. There is a very good chance that Disdain EK is using a similar approach to gain code execution. This is not the first time an EK has integrated a publicly released PoC exploit in to its code eg Sundown EK with CVE-2016-7200 & CVE-2016-7201.
Please continue to follow ThreatProtect for more information on Disdain EK.
References:
New Disdain Exploit Kit Detected in the Wild
@kafeine
Microsoft IE: textarea.defaultValue memory disclosure
Microsoft Edge and IE: Type confusion