Disdain EK

A new exploit kit (EK) named “Disdain” has been observed in the wild. The EK targets Windows vulnerabilities. Initially the presence of this EK was found in underground forums as an ad and was brought to light on twitter by @CryptoInsane. The EK can be rented for as low as 80$. Disdain claims to exploit over 15 CVEs. All of which have been fixed by vendors and their official patches have already been released. Currently the EK appears to target only 5 CVEs. This discovery was made by TrendMicro along with with Proofpoint.

CVE Target Component Fix QID(s)
CVE-2013-2551 JScript9 MS13-037 100147
CVE-2015-2419 JScript9 MS15-065 100244
CVE-2016-0189 JScript and VBScript engines MS16-053, MS16-051 91220 ,100284
CVE-2017-0037 Type confusion in mshtml.dll MS17-006(IE),MS17-007(MS Edge) 91333, 91332
CVE-2017-0059 Use-after-free bug in IE MS17-006(IE) 91333

It is important to note that the code targeting CVE-2017-0059 and CVE-2017-0037 appears to be ineffective. We need to collect more samples of the code for analysis. The sample observed by TrendMicro delivers Smoker Loader, it is a small application that downloads other additional malware onto the target machine. In this case it installs a cryptocurrency miner.

CVE-2017-0059 & CVE-2017-0037:
A PoC combining both these vulnerabilities was released by @redr2e. The exploit uses CVE-2017-0059 to leak the base address of propsys.dll and uses CVE-2017-0037 to execute shellcode by executing a pre-built ROP chain using propsys.dll. There is a very good chance that Disdain EK is using a similar approach to gain code execution. This is not the first time an EK has integrated a publicly released PoC exploit in to its code eg Sundown EK with CVE-2016-7200 & CVE-2016-7201.  

Please continue to follow ThreatProtect for more information on Disdain EK.

References:
New Disdain Exploit Kit Detected in the Wild
@kafeine
Microsoft IE: textarea.defaultValue memory disclosure
Microsoft Edge and IE: Type confusion

Leave a Reply

Your email address will not be published. Required fields are marked *