Recently Patched Internet Explorer Flaw Added to Angler Exploit Kit

The developers of the Angler exploit kit have added support for a recently patched Internet Explorer vulnerability.

The Jscript9 memory corruption vulnerability (CVE-2015-2419) affecting Internet Explorer 11 was identified by researchers at Vectra Networks in July while analyzing the files leaked as a result of the data breach suffered by Italian surveillance software maker Hacking Team. The flaw was identified by Vectra experts based on an email in which someone offered to sell the exploit to Hacking Team.

Microsoft patched the flaw in July with the company’s monthly security updates.

FireEye has seen the new Internet Explorer exploit being used to deliver Cryptowall ransomware. The France-based security expert known as Kafeine says the exploit has also been used to download Bedep malware. In the attack spotted by Kafeine, Bedep downloads the Pony stealer and the TeslaCrypt ransomware, and conducts ad fraud.

The exploits used by Angler are usually quickly picked up by other exploit kits, such as Magnitude, Neutrino and Nuclear Pack. Kafeine told SecurityWeek that so far he hasn’t seen the Internet Explorer exploit in other kits.

According to FireEye, Angler has added a new obfuscation mechanisms to protect the delivery of the IE exploit.

“Angler’s landing page is obfuscated in a mix of HTML and Javascript (JS). Underneath the first layer of obfuscation, the landing page profiles the environment, selects exploits to launch, and launches the exploits. The IE exploit is further obfuscated, and uses a key sharing (Diffie-Hellman (D-H)) cryptosystem to tailor each attack to an individual victim’s machine. The crypto implementation uses library code from at least jsbn.js (BigInteger implementation in JavaScript), and bears similarities to cryptico.js,” researchers noted in a blog post.

The authors of the Angler exploit kit are highly efficient when it comes to adding support for recently patched and even zero-day vulnerabilities.

Starting with the second half of 2014, Angler developers have been focusing on Adobe Flash Player exploits. In January, researchers discovered a Flash zero-day while analyzing an instance of the Angler exploit kit. Last month, the cybercriminals managed to abuse the Hacking Team Flash Player exploits before Adobe could release an emergency patch.

However, experts noticed recently that the Angler authors have also started leveraging vulnerabilities in other products. Kafeine discovered in July that a TrueType font parsing flaw (CVE-2015-1671) patched by Microsoft in May had been exploited to target vulnerable Silverlight installations.

“The exploitation of CVE-2015-2419 marks the second departure from Flash exploits for Angler (the first being the inclusion of CVE-2015-1671 in Silverlight). This may be the result of Adobe’s recent exploit mitigations in Flash Player that prevent attackers from using Vector (and similar) objects to develop their control over corrupted Flash processes,” FireEye said.