Russian malware scum post new rent-an-exploit

Unpatched browser, plug-in bugs targeted by and with 'Disdain' kit

WebEx on Firefox is among the targets of a new exploit kit that's started circulating on Russian nastyware exchanges.

The Disdain-based exploit kit is described here by security services outfit IntSights, which says the exploit kit is offered by someone using the handle "Cehceny".

David Montenegro (@CryptoInsane) says Disdain is a copy-paste of the open source BEPS exploit kit.

IntSights says the kit includes:

  • A domain rotator, to make the C&C harder to block;
  • Support for exploits to exchange RSA keys;
  • The C&C's panel server can't be traced from the payload server; and
  • IP geolocation, browser and IP tracking, and domain scanning.

Disdain is rented on a daily, weekly, or monthly basis at US$80, $500, and $1,400 respectively. Victims who hit the exploit are scanned, and the kit tries to attack a number of known vulnerabilities from between 2013 and this year.

That's where the Cisco WebEx plug-in comes in: CVE-2017-3823, which landed in January this year, is an API error that exposes an unpatched user to remote code execution.

The other 14 CVEs the kit tests for are browser bugs (Internet Explorer, Firefox and Edge) and three Flash bugs. The other vulns probed are below.

CVE Target
CVE-2017-5375 Firefox
CVE-2017-0037 Internet Explorer
CVE-2016-9078 Firefox
CVE-2016-7200 Edge and Internet Explorer
CVE-2016-4117 Flash
CVE-2016-1019 Flash
CVE-2016-0189 Internet Explorer
CVE-2015-5119 Flash
CVE-2015-2419 Internet Explorer
CVE-2014-8636 Firefox
CVE-2014-6332 Internet Explorer
CVE-2014-1510 Firefox
CVE-2013-2551 Internet Explorer
CVE-2013-1710 Firefox

All vectors have patches available. ®


Biting the hand that feeds IT © 1998–2017