Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Recently Patched Internet Explorer Flaw Added to Angler Exploit Kit

The developers of the Angler exploit kit have added support for a recently patched Internet Explorer vulnerability.

The developers of the Angler exploit kit have added support for a recently patched Internet Explorer vulnerability.

The Jscript9 memory corruption vulnerability (CVE-2015-2419) affecting Internet Explorer 11 was identified by researchers at Vectra Networks in July while analyzing the files leaked as a result of the data breach suffered by Italian surveillance software maker Hacking Team. The flaw was identified by Vectra experts based on an email in which someone offered to sell the exploit to Hacking Team.

Microsoft patched the flaw in July with the company’s monthly security updates.

FireEye has seen the new Internet Explorer exploit being used to deliver Cryptowall ransomware. The France-based security expert known as Kafeine says the exploit has also been used to download Bedep malware. In the attack spotted by Kafeine, Bedep downloads the Pony stealer and the TeslaCrypt ransomware, and conducts ad fraud.

The exploits used by Angler are usually quickly picked up by other exploit kits, such as Magnitude, Neutrino and Nuclear Pack. Kafeine told SecurityWeek that so far he hasn’t seen the Internet Explorer exploit in other kits.

According to FireEye, Angler has added a new obfuscation mechanisms to protect the delivery of the IE exploit.

“Angler’s landing page is obfuscated in a mix of HTML and Javascript (JS). Underneath the first layer of obfuscation, the landing page profiles the environment, selects exploits to launch, and launches the exploits. The IE exploit is further obfuscated, and uses a key sharing (Diffie-Hellman (D-H)) cryptosystem to tailor each attack to an individual victim’s machine. The crypto implementation uses library code from at least jsbn.js (BigInteger implementation in JavaScript), and bears similarities to cryptico.js,” researchers noted in a blog post.

The authors of the Angler exploit kit are highly efficient when it comes to adding support for recently patched and even zero-day vulnerabilities.

Advertisement. Scroll to continue reading.

Starting with the second half of 2014, Angler developers have been focusing on Adobe Flash Player exploits. In January, researchers discovered a Flash zero-day while analyzing an instance of the Angler exploit kit. Last month, the cybercriminals managed to abuse the Hacking Team Flash Player exploits before Adobe could release an emergency patch.

However, experts noticed recently that the Angler authors have also started leveraging vulnerabilities in other products. Kafeine discovered in July that a TrueType font parsing flaw (CVE-2015-1671) patched by Microsoft in May had been exploited to target vulnerable Silverlight installations.

“The exploitation of CVE-2015-2419 marks the second departure from Flash exploits for Angler (the first being the inclusion of CVE-2015-1671 in Silverlight). This may be the result of Adobe’s recent exploit mitigations in Flash Player that prevent attackers from using Vector (and similar) objects to develop their control over corrupted Flash processes,” FireEye said.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.