Hackers have modified an exploit for a vulnerability in Internet Explorer fixed last October and added it to a notorious exploit kit.
The vulnerability is a use-after-free issue patched in MS14-056, which fixed a total of 14 IE bugs altogether. According to FireEye Staff Research Scientist Dan Caselden, the exploit has been added to the Angler exploit kit. Angler is often associated with exploits for Internet Explorer, Adobe Flash Player and Microsoft Silverlight.
“The Angler Exploit Kit (EK) recently implemented a modified version of k33nteam’s exploit targeting the same patched vulnerability,” Caselden blogged. “This is interesting because it is the first instance we’ve seen of an attack in the wild targeting IE deployments that are using Microsoft’s new MEMPROTECT mitigations. It shows that exploit authors are still interested in attacking IE.”
MEMPROTECT (Memory Protector) was introduced by Microsoft in July to make it difficult for hackers to execute use-after-free attacks. While the mitigations are not unbeatable, they increased the difficulty for exploit authors developing new IE exploits as evidenced by the absence of new IE exploits discovered in the wild, Caselden blogged.
“Thankfully, the exploitation technique does not include a generic bypass for MEMPROTECT,” he added. “The vulnerability is a UAF (use-after-free) with MSHTML!CTitleElement that MEMPROTECT was not designed to mitigate. As a result, some of the employed techniques (particularly the modified garbage collection routine) were not necessary. So, in the future, exploit authors will need to find a reliable way around the delayed free, or bugs with another object that falls outside of the CMemoryProtector’s domain.”
Recently, researchers at Websense named Angler as possibly the most sophisticated exploit kit used by cybercriminals today, utilizing a number of techniques to defeat detection, such as encrypted payloads and the ability to detect antivirus and virtualization software.
“It has pioneered solutions that other exploit kits started using later, such as antivirus detection and encrypted dropper files,” according to Websense Security Researcher Abel Toro. “In addition, Angler tends to be the quickest to integrate the latest zero days, such as the Adobe Flash zero day (CVE-2015-0311) from a few weeks ago, and it employs a notably unique obfuscation. Finally, Angler runs the dropped malware from memory, without ever having to write to the hard drive; this unique technique among exploit kits makes it extremely difficult for traditional antivirus technologies to detect it as they rely on scanning the file system.”
*This article was updated to identify Abel Toro.