The Disdain exploit kit appears in the threat landscape

Pierluigi Paganini August 15, 2017

The Disdain exploit kit is available for rent on a daily, weekly, or monthly basis for prices of $80, $500, and $1,400 respectively.

The security researcher David Montenegro discovered a new exploit kit dubbed Disdain that is offered for rent on underground hacking forums by a malware developer using the pseudonym of Cehceny.

https://twitter.com/CryptoInsane/status/895151680861253632

The Disdain exploit kit is available for rent on a daily, weekly, or monthly basis for prices of $80, $500, and $1,400 respectively.

Disdain exploit kit

After the Angler EK and Nuclear EK disappeared from the threat landscape, the Sundown EK conquered the criminal underground.

With the Sundown EK has been inactive since early this year, the Terror EK is being very popular in the cybercriminal ecosystem. The Disdain exploit kit appears very cheap compared to other exploit kits such as Nebula EK, that goes for rent on a daily, weekly, or monthly basis for prices of $100, $600, and $2,000 respectively.

According to security experts at Intsights that found an ad of the Disdain exploit kit on a Russian-speaking forum, its main features are:

  • Domain Rotator
  • RSA Key exchange for Exploits
  • Panel server is untraceable from Payload server
  • Geolocation available
  • Browser & IP tracking
  • Scan domain

When users visit a website hosting the Disdain exploit kit, it gathers info on the specific browser used by the visitor and attempts to use one of the exploits to deliver a malware on the victim’s machine.

Even is the Disdain exploit kit includes a limited number of exploits because it is very young, most of them are newer exploits. Below is the full list of exploits advertise by the author Cehceny:

CVE-2017-5375 – FF
CVE-2017-3823 – Extension (Cisco Web Ex)
CVE-2017-0037 – IE a
CVE-2016-9078 – FF
CVE-2016-7200 – EDGE + IE a
CVE-2016-4117 – FLASH
CVE-2016-1019 – FLASH
CVE-2016-0189 – IE
CVE-2015-5119 – FLASH
CVE-2015-2419 – IE
CVE-2014-8636 – FF
CVE-2014-6332 – IE
CVE-2014-1510 – FF
CVE-2013-2551 – IE
CVE-2013-1710 – FF

Disdain exploit kit

According to the experts at Bleepingcomputer, currently, there is no malvertising campaign or botnet leveraging the Disdain exploit kit because Cehceny is considered a scammer on at least one major underground hacking forum.

“The Disdain ad was first spotted last week. Currently, there is no malvertising campaign or botnet redirecting traffic to any Disdain “landing page,” according to a security researcher who spoke with Bleeping Computer about Disdain but did not want to reveal his name.” wrote Catalin Cimpanu.

“One reason why we haven’t seen any active campaign might be that Disdain’s author — Cehceny — is currently banned and marked as a “ripper” (scammer) on at least one major underground hacking forum.”

Looking at exploit kit market we are assisting to a rapid decline due to the difficulty of finding exploitable flaws in modern browsers.

Currently, most popular exploit kits are RIG, Rig-V, Terror, Magnitude, Kaixin, and Nebula.

Stay tuned!

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Disdain exploit kit, malware)

[adrotate banner=”13″]



you might also like

leave a comment