Security Experts:

Connect with us

Hi, what are you looking for?



Recently Patched Internet Explorer Flaw Added to Angler Exploit Kit

The developers of the Angler exploit kit have added support for a recently patched Internet Explorer vulnerability.

The developers of the Angler exploit kit have added support for a recently patched Internet Explorer vulnerability.

The Jscript9 memory corruption vulnerability (CVE-2015-2419) affecting Internet Explorer 11 was identified by researchers at Vectra Networks in July while analyzing the files leaked as a result of the data breach suffered by Italian surveillance software maker Hacking Team. The flaw was identified by Vectra experts based on an email in which someone offered to sell the exploit to Hacking Team.

Microsoft patched the flaw in July with the company’s monthly security updates.

FireEye has seen the new Internet Explorer exploit being used to deliver Cryptowall ransomware. The France-based security expert known as Kafeine says the exploit has also been used to download Bedep malware. In the attack spotted by Kafeine, Bedep downloads the Pony stealer and the TeslaCrypt ransomware, and conducts ad fraud.

The exploits used by Angler are usually quickly picked up by other exploit kits, such as Magnitude, Neutrino and Nuclear Pack. Kafeine told SecurityWeek that so far he hasn’t seen the Internet Explorer exploit in other kits.

According to FireEye, Angler has added a new obfuscation mechanisms to protect the delivery of the IE exploit.

“Angler’s landing page is obfuscated in a mix of HTML and Javascript (JS). Underneath the first layer of obfuscation, the landing page profiles the environment, selects exploits to launch, and launches the exploits. The IE exploit is further obfuscated, and uses a key sharing (Diffie-Hellman (D-H)) cryptosystem to tailor each attack to an individual victim’s machine. The crypto implementation uses library code from at least jsbn.js (BigInteger implementation in JavaScript), and bears similarities to cryptico.js,” researchers noted in a blog post.

The authors of the Angler exploit kit are highly efficient when it comes to adding support for recently patched and even zero-day vulnerabilities.

Starting with the second half of 2014, Angler developers have been focusing on Adobe Flash Player exploits. In January, researchers discovered a Flash zero-day while analyzing an instance of the Angler exploit kit. Last month, the cybercriminals managed to abuse the Hacking Team Flash Player exploits before Adobe could release an emergency patch.

However, experts noticed recently that the Angler authors have also started leveraging vulnerabilities in other products. Kafeine discovered in July that a TrueType font parsing flaw (CVE-2015-1671) patched by Microsoft in May had been exploited to target vulnerable Silverlight installations.

“The exploitation of CVE-2015-2419 marks the second departure from Flash exploits for Angler (the first being the inclusion of CVE-2015-1671 in Silverlight). This may be the result of Adobe’s recent exploit mitigations in Flash Player that prevent attackers from using Vector (and similar) objects to develop their control over corrupted Flash processes,” FireEye said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.