Underground Forum Markets ‘Disdain’ Kit to Target Flaws in WebEx, Flash, More
For just $80 per day, $500 per week or $1,400 monthly, cybercrime entrepreneurs can subscribe to Disdain. That’s the name of a new exploit kit that’s appeared on at least one underground Russian cybercrime forum, and which is being advertised by a “threat actor” who uses the handle “Cehceny,” according to Israeli cybersecurity firm IntSights Cyber Intelligence.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
Exploit kits have long offered to automate, for cybercriminals, the tedious business of attempting to attack and gain access to a large number of PCs. Some exploit kits are private and used exclusively by a single cybercrime gang, while others are built by developers and rented or sold to users in pursuit of illicit profits.
From a technical standpoint, however, all exploit kits follow a familiar formula. “For the uninitiated, an EK [exploit kit] is a software kit that abuses known vulnerabilities found in the victim’s browser or browser add-ons,” security researchers at IntSights say in a blog post. “It is hosted on a remote server, to which traffic is passively diverted by the attacker. When a victim contacts the malicious server, the kit scans the browser to find exploitable vulnerabilities, and then abuses them to deliver a malware.”
Cehceny claims Disdain will provide users with the ability to track the browser and IP of infected endpoints, geolocate victims, obscure attack payloads using RSA keys and automatically rotate attack domains, among other features.
Disdain was first discovered last week by Peru-based malware analyst David Montenegro, aka @CryptoInsane. He notes that Disdain appears to be a copy of Sundown, also known as BEPS or Neutrino.
Neutrino has been used in numerous and varied attack campaigns, including a bank malware campaign that appears to be tied to Lazarus Group, which security experts say appears to be a North Korean operation.
Disdain Exploit Kit – New Exploit Kit up for sale in Underground Forum – Copy && Paste .. .. Beps Exploit Kit .. .. $./I_love_weekends.py pic.twitter.com/bLXBwxvYTp
— David Montenegro (@CryptoInsane) August 9, 2017
Based on a screenshot of Disdain’s control screen obtained by Montenegro, the greatest number of victims appear to be located in South America, India, China as well as Western Europe.
But it’s not clear if Cehceny’s Disdain offer is legitimate. Radware security researcher Daniel Smith, for example, told Bleeping Computer that Cehceny has been banned from at least one well-known underground forum on the grounds that he’s a “ripper,” or scammer.
Target: Widespread Flaws
Historically, exploit kits have targeted known – and oftentimes long patched – flaws in the Microsoft Internet Explorer and Edge browsers, as well as the Firefox browser, plus such browser plug-ins as Adobe Reader, the Java Runtime Environment and Adobe Flash Player.
Disdain, according to IntSights, is no stranger to that formula, and claims to target 15 flaws. This is a relatively small number of flaws to target, and as Bleeping Computer notes, likely reflects the attack toolkit having just debuted. Here’s a list of those flaws:
- CVE-2017-5375 – Firefox
- CVE-2017-3823 – Cisco WebEx
- CVE-2017-0037 – Internet Explorer
- CVE-2016-9078 – Firefox
- CVE-2016-7200 – Edge and IE
- CVE-2016-4117 – Flash
- CVE-2016-1019 – Flash
- CVE-2016-0189 – IE
- CVE-2015-5119 – Flash
- CVE-2015-2419 – IE
- CVE-2014-8636 – Firefox
- CVE-2014-6332 – IE
- CVE-2014-1510 – Firefox
- CVE-2013-2551 – IE
- CVE-2013-1710 – Firefox
All of those bugs have been patched, in some cases years ago, and some client software will have automatically updated itself to install the security updates. But that does not always happen, and exploit kit success is predicated on users failing to patch every bug.
The CVE-2017-3823 flaw in the browser extensions for Cisco WebEx Meetings Server and Cisco WebEx Centers, for example, was patched by Cisco in January. At the time, the technology vendor said the flaw “could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system.”
Cisco cautioned that the flaw could only be patched by installing software updates that it had released for Google Chrome, Firefox and Internet Explorer. “There are no workarounds that address this vulnerability,” Cisco said.
Down and Out in Exploit Kit Land
Exploit kits once offered a thriving business model for developers who sold or rented their product, because they could be used by their cybercrime customers to automatically infect large numbers of PCs, thus generating illicit profits for toolkit users.
The top exploit kits seen in 2016 included Angler, aka Axpergle; Neutrino, aka Sundown; and RIG, aka Meadgive. Angler, however, disappeared in June 2016, which may be tied to Russia arresting 50 suspected hackers that same month. Security researchers say at least some attackers that formerly relied on Angler then switched to the RIG and Neutrino exploit kits, which were tied to ransomware and malvertising campaigns, among other types of attacks.
Since the beginning of 2017, however, exploit kits appear to have been in steep decline, with Neutrino disappearing, apparently due to poor profits (see Neutrino Exploit Kit: No Signs of Life).
Instead, would-be attackers appear to have shifted to other techniques for attacking endpoints, such as malware-laden spam, which has been increasing in volume in recent months, according to the security firm Symantec. The company found that in July, global volumes of spam hit the highest level since March 2015.
Bootlegged ‘Sundown-Pirate’ Debuts
While many top exploit kit makers have exited the market, however, numerous smaller players remain. And there continue to be new or resurgent entrants.
Earlier this year, Joseph Chen, a fraud researcher at security firm Trend Micro,
announced the reappearance of an older exploit kit called Astrum, aka Stagano. But he said all attacks tied to the new Astrum appeared to be the work of a single group of attackers, as part of the so-called AdGholas malvertising campaign, which has been used to infect endpoints with many different types of malware, including banking Trojans such as Gozi and Ramnit.
Last month, meanwhile, Chen reported finding Sundown-Pirate, an apparently bootlegged version of Sundown. But as with Astrum, all Sundown-Pirate attacks appear to have been tied to a single malvertising group, in this case dubbed “ProMediads.”
“ProMediads has been active as early as 2016, employing Rig and Sundown exploit kits to deliver malware,” Chen says. “Its activities dropped off in mid-February this year, but suddenly [swelled] on June 16 via Rig. However, we noticed that ProMediads eschewed Rig in favor of Sundown-Pirate on June 25.”
Sundown was never rated as a top-tier offering by security firms. Purported users complained on cybercrime forums that the exploit kit often failed, ironically, due to bugs in the code.
While a version of the exploit kit has reappeared, this does not herald a sudden resurgence in the exploit kit market. Instead, Sundown-Pirate appears to be the work of a single gang, for use in its own attacks, Chen says. Notably, the group does not appear to be attempting to profit by reselling or renting the exploit kit to others.