Security Experts:

Connect with us

Hi, what are you looking for?



Recently Patched Internet Explorer Flaw Added to Angler Exploit Kit

The developers of the Angler exploit kit have added support for a recently patched Internet Explorer vulnerability.

The developers of the Angler exploit kit have added support for a recently patched Internet Explorer vulnerability.

The Jscript9 memory corruption vulnerability (CVE-2015-2419) affecting Internet Explorer 11 was identified by researchers at Vectra Networks in July while analyzing the files leaked as a result of the data breach suffered by Italian surveillance software maker Hacking Team. The flaw was identified by Vectra experts based on an email in which someone offered to sell the exploit to Hacking Team.

Microsoft patched the flaw in July with the company’s monthly security updates.

FireEye has seen the new Internet Explorer exploit being used to deliver Cryptowall ransomware. The France-based security expert known as Kafeine says the exploit has also been used to download Bedep malware. In the attack spotted by Kafeine, Bedep downloads the Pony stealer and the TeslaCrypt ransomware, and conducts ad fraud.

The exploits used by Angler are usually quickly picked up by other exploit kits, such as Magnitude, Neutrino and Nuclear Pack. Kafeine told SecurityWeek that so far he hasn’t seen the Internet Explorer exploit in other kits.

According to FireEye, Angler has added a new obfuscation mechanisms to protect the delivery of the IE exploit.

“Angler’s landing page is obfuscated in a mix of HTML and Javascript (JS). Underneath the first layer of obfuscation, the landing page profiles the environment, selects exploits to launch, and launches the exploits. The IE exploit is further obfuscated, and uses a key sharing (Diffie-Hellman (D-H)) cryptosystem to tailor each attack to an individual victim’s machine. The crypto implementation uses library code from at least jsbn.js (BigInteger implementation in JavaScript), and bears similarities to cryptico.js,” researchers noted in a blog post.

The authors of the Angler exploit kit are highly efficient when it comes to adding support for recently patched and even zero-day vulnerabilities.

Starting with the second half of 2014, Angler developers have been focusing on Adobe Flash Player exploits. In January, researchers discovered a Flash zero-day while analyzing an instance of the Angler exploit kit. Last month, the cybercriminals managed to abuse the Hacking Team Flash Player exploits before Adobe could release an emergency patch.

However, experts noticed recently that the Angler authors have also started leveraging vulnerabilities in other products. Kafeine discovered in July that a TrueType font parsing flaw (CVE-2015-1671) patched by Microsoft in May had been exploited to target vulnerable Silverlight installations.

“The exploitation of CVE-2015-2419 marks the second departure from Flash exploits for Angler (the first being the inclusion of CVE-2015-1671 in Silverlight). This may be the result of Adobe’s recent exploit mitigations in Flash Player that prevent attackers from using Vector (and similar) objects to develop their control over corrupted Flash processes,” FireEye said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet