Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Internet Explorer Exploit Added to Angler Kit: FireEye

Hackers have modified an exploit for a vulnerability in Internet Explorer fixed last October and added it to a notorious exploit kit.

Hackers have modified an exploit for a vulnerability in Internet Explorer fixed last October and added it to a notorious exploit kit.

The vulnerability is a use-after-free issue patched in MS14-056, which fixed a total of 14 IE bugs altogether. According to FireEye Staff Research Scientist Dan Caselden, the exploit has been added to the Angler exploit kit. Angler is often associated with exploits for Internet Explorer, Adobe Flash Player and Microsoft Silverlight.

“The Angler Exploit Kit (EK) recently implemented a modified version of k33nteam’s exploit targeting the same patched vulnerability,” Caselden blogged. “This is interesting because it is the first instance we’ve seen of an attack in the wild targeting IE deployments that are using Microsoft’s new MEMPROTECT mitigations. It shows that exploit authors are still interested in attacking IE.”

MEMPROTECT (Memory Protector) was introduced by Microsoft in July to make it difficult for hackers to execute use-after-free attacks. While the mitigations are not unbeatable, they increased the difficulty for exploit authors developing new IE exploits as evidenced by the absence of new IE exploits discovered in the wild, Caselden blogged.

In his blog post, Caselden compared the k33nteam exploit to the one in the kit.

“Thankfully, the exploitation technique does not include a generic bypass for MEMPROTECT,” he added. “The vulnerability is a UAF (use-after-free) with MSHTML!CTitleElement that MEMPROTECT was not designed to mitigate. As a result, some of the employed techniques (particularly the modified garbage collection routine) were not necessary. So, in the future, exploit authors will need to find a reliable way around the delayed free, or bugs with another object that falls outside of the CMemoryProtector’s domain.”

Recently, researchers at Websense named Angler as possibly the most sophisticated exploit kit used by cybercriminals today, utilizing a number of techniques to defeat detection, such as encrypted payloads and the ability to detect antivirus and virtualization software.

“It has pioneered solutions that other exploit kits started using later, such as antivirus detection and encrypted dropper files,” according to Websense Security Researcher Abel Toro. “In addition, Angler tends to be the quickest to integrate the latest zero days, such as the Adobe Flash zero day (CVE-2015-0311) from a few weeks ago, and it employs a notably unique obfuscation. Finally, Angler runs the dropped malware from memory, without ever having to write to the hard drive; this unique technique among exploit kits makes it extremely difficult for traditional antivirus technologies to detect it as they rely on scanning the file system.”

*This article was updated to identify Abel Toro.

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.