Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Internet Explorer Exploit Added to Angler Kit: FireEye

Hackers have modified an exploit for a vulnerability in Internet Explorer fixed last October and added it to a notorious exploit kit.

Hackers have modified an exploit for a vulnerability in Internet Explorer fixed last October and added it to a notorious exploit kit.

The vulnerability is a use-after-free issue patched in MS14-056, which fixed a total of 14 IE bugs altogether. According to FireEye Staff Research Scientist Dan Caselden, the exploit has been added to the Angler exploit kit. Angler is often associated with exploits for Internet Explorer, Adobe Flash Player and Microsoft Silverlight.

“The Angler Exploit Kit (EK) recently implemented a modified version of k33nteam’s exploit targeting the same patched vulnerability,” Caselden blogged. “This is interesting because it is the first instance we’ve seen of an attack in the wild targeting IE deployments that are using Microsoft’s new MEMPROTECT mitigations. It shows that exploit authors are still interested in attacking IE.”

MEMPROTECT (Memory Protector) was introduced by Microsoft in July to make it difficult for hackers to execute use-after-free attacks. While the mitigations are not unbeatable, they increased the difficulty for exploit authors developing new IE exploits as evidenced by the absence of new IE exploits discovered in the wild, Caselden blogged.

In his blog post, Caselden compared the k33nteam exploit to the one in the kit.

“Thankfully, the exploitation technique does not include a generic bypass for MEMPROTECT,” he added. “The vulnerability is a UAF (use-after-free) with MSHTML!CTitleElement that MEMPROTECT was not designed to mitigate. As a result, some of the employed techniques (particularly the modified garbage collection routine) were not necessary. So, in the future, exploit authors will need to find a reliable way around the delayed free, or bugs with another object that falls outside of the CMemoryProtector’s domain.”

Recently, researchers at Websense named Angler as possibly the most sophisticated exploit kit used by cybercriminals today, utilizing a number of techniques to defeat detection, such as encrypted payloads and the ability to detect antivirus and virtualization software.

“It has pioneered solutions that other exploit kits started using later, such as antivirus detection and encrypted dropper files,” according to Websense Security Researcher Abel Toro. “In addition, Angler tends to be the quickest to integrate the latest zero days, such as the Adobe Flash zero day (CVE-2015-0311) from a few weeks ago, and it employs a notably unique obfuscation. Finally, Angler runs the dropped malware from memory, without ever having to write to the hard drive; this unique technique among exploit kits makes it extremely difficult for traditional antivirus technologies to detect it as they rely on scanning the file system.”

*This article was updated to identify Abel Toro.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.