By Chaoying Liu and Joseph C. Chen
The exploit kit landscape has been rocky since 2016, and we’ve observed several of the major players—Angler, Nuclear, Neutrino, Sundown—take a dip in operations or go private. New kits have popped up sporadically since then, sometimes revamped from old sources, but none have really gained traction. Despite that fact, cybercriminals continue to develop more of them.
We detected two different malvertising groups trying to use the new exploit service to deliver malware. One of the groups we were monitoring used Disdain to deliver the Smoke Loader Trojan (detected by Trend Micro as TROJ_SHARIK.VDA), which would then install a cryptocurrency miner.
Activity and analysis of Disdain
While we were tracking the exploit kit, we noted erratic activity that dipped on August 11 before quickly spiking on August 12. The activity dropped again after that. So far, since it is the early stages of the kit, detections have been minimal.
Figure 1. Keyword “disdain” contained in the exploit kit, seen delivering Smoke Loader
It seems that even in the underground, advertisements promise more than what the product can deliver. In their post on an underground forum, the developers listed 17 different CVEs that the kit currently exploits, but we observed only five:
- CVE-2013-2551, patched in May 2013
- CVE-2015-2419, patched in July 2015
- CVE-2016-0189, patched in May 2016
- CVE-2017-0037, patched in March 2017
- CVE-2017-0059, patched in March 2017
It’s worth noting that the exploit kit combines CVE-2017-0059 and CVE-2017-0037 (the youngest CVEs) to exploit the IE browser. These exploits were first found in the wild: CVE-2017-0059 is an information disclosure vulnerability in IE that was patched on March 2017. With this CVE, the attacker gets the base address of propsys.dll and then evades Address Space Layout Randomization (ASLR), which is used to prevent exploitation of memory corruption vulnerabilities. CVE-2017-0037 is a type corruption vulnerability in IE and Edge, and the attacker uses it to execute shellcode. Used in tandem, these vulnerabilities would allow the attacker to execute arbitrary code on a compromised device.
However, the related malicious code can’t actually exploit anything because of certain faults by the developer.
Figure 2. Code fragment of CVE-2017-0059Figure 3. Code fragment of CVE-2017-0037
Solutions and recommendations
All the listed CVEs that Disdain exploits have been patched, some even years before the kit was detected. This only emphasizes the need for timely patching—enterprises and users alike should prioritize critical patches and be diligent in protecting their system from preventable compromises.
Aside from patching, a multilayered approach to security is also necessary to defend against complex threats. A comprehensive solution covers all flanks—from the gateway, endpoints, networks, and servers. Trend Micro™ OfficeScan™ with XGen™ endpoint security has Vulnerability Protection that shields endpoints from identified and unknown vulnerability exploits even before patches are even deployed. Trend Micro’s endpoint solutions such as Trend Micro™ Smart Protection Suites, and Worry-Free™ Business Security protect end users and businesses from these threats by detecting and blocking malicious files and all related malicious URLs.
Hat tip to ProofPoint’s kafeine whom we worked with on this research.
Indicators of Compromise
|94[.]102[.]60[.]156||Disdain exploit kit IP address|
|a11t01t22t10[.]ru||Smoke Loader C&C domain|