The developers of the Angler exploit kit have added support for a recently patched Internet Explorer vulnerability.
The Jscript9 memory corruption vulnerability (CVE-2015-2419) affecting Internet Explorer 11 was identified by researchers at Vectra Networks in July while analyzing the files leaked as a result of the data breach suffered by Italian surveillance software maker Hacking Team. The flaw was identified by Vectra experts based on an email in which someone offered to sell the exploit to Hacking Team.
Microsoft patched the flaw in July with the company’s monthly security updates.
FireEye has seen the new Internet Explorer exploit being used to deliver Cryptowall ransomware. The France-based security expert known as Kafeine says the exploit has also been used to download Bedep malware. In the attack spotted by Kafeine, Bedep downloads the Pony stealer and the TeslaCrypt ransomware, and conducts ad fraud.
The exploits used by Angler are usually quickly picked up by other exploit kits, such as Magnitude, Neutrino and Nuclear Pack. Kafeine told SecurityWeek that so far he hasn’t seen the Internet Explorer exploit in other kits.
According to FireEye, Angler has added a new obfuscation mechanisms to protect the delivery of the IE exploit.
“Angler’s landing page is obfuscated in a mix of HTML and Javascript (JS). Underneath the first layer of obfuscation, the landing page profiles the environment, selects exploits to launch, and launches the exploits. The IE exploit is further obfuscated, and uses a key sharing (Diffie-Hellman (D-H)) cryptosystem to tailor each attack to an individual victim’s machine. The crypto implementation uses library code from at least jsbn.js (BigInteger implementation in JavaScript), and bears similarities to cryptico.js,” researchers noted in a blog post.
The authors of the Angler exploit kit are highly efficient when it comes to adding support for recently patched and even zero-day vulnerabilities.
Starting with the second half of 2014, Angler developers have been focusing on Adobe Flash Player exploits. In January, researchers discovered a Flash zero-day while analyzing an instance of the Angler exploit kit. Last month, the cybercriminals managed to abuse the Hacking Team Flash Player exploits before Adobe could release an emergency patch.
However, experts noticed recently that the Angler authors have also started leveraging vulnerabilities in other products. Kafeine discovered in July that a TrueType font parsing flaw (CVE-2015-1671) patched by Microsoft in May had been exploited to target vulnerable Silverlight installations.
“The exploitation of CVE-2015-2419 marks the second departure from Flash exploits for Angler (the first being the inclusion of CVE-2015-1671 in Silverlight). This may be the result of Adobe’s recent exploit mitigations in Flash Player that prevent attackers from using Vector (and similar) objects to develop their control over corrupted Flash processes,” FireEye said.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
