Watch out, Angler Exploit Kit is able to bypass Microsoft EMET defense

Security experts from FireEye have observed attacks leveraging on Angler EK to deliver exploits capable of evading the Microsoft EMET security Tool.

Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) is a free security tool designed by Microsoft to implement a supplemental security layer of defense against the exploitation of vulnerabilities affecting applications running on Windows Systems.

Over the time, security researchers have devised methods to bypass the EMET defense, and now according to experts from the FireEye firm a current version of the infamous Angler Exploit Kit is able to deliver Flash Player and Microsoft Silverlight exploits evading the security tool.

The exploits observed by FireEye leverage the routines built into the Flash Player plugin component Flash.ocx and the Silverlight component Coreclr.dll to invoke the VirtualProtect and VirtualAlloc memory management functions. In this way, the exploits are able to bypass both data execution prevention (DEP) mitigation the return address validation-based heuristics before executing shellcode.

“The ability of Angler EK to evade EMET mitigations and successfully exploit Flash and Silverlight is fairly sophisticated in our opinion. These exploits do not utilize the usual return oriented programming to evade DEP. Data Execution Prevention (DEP) is a mitigation developed to prevent the execution of code in certain parts of memory.” states the analysis published by FireEye. “The Angler EK uses exploits that do not utilize common return oriented programming (ROP) techniques to evade DEP. Instead, they use Flash.ocx and Coreclr.dll’s inbuilt routines to call VirtualProtect and VirtualAlloc, respectively, with PAGE_EXECUTE_READWRITE, thus evading DEP and evading return address validation-based heuristics.”

“The Flash exploit uses Flash.ocx’s routines to call VirtualProtect for DEP evasion before shellcode is executed”

“Since return address validation heuristics are evaded by utilizing these inbuilt functions from within ActionScript and Silverlight Engine, ROP checks by EMET’s DEP capability are not effective,” FireEye researchers explained. 

The researchers discovered that the Flash and Silverlight exploits used by a current version of the Angler Exploit Kit are able to bypass also the Address Table Filtering (EAF) and EAF+ mitigations implemented by the EMET to avoid attackers to understand in which portion of memory the code are loaded.

In the attacks observed by FireEye, crooks used this variant of the Angler Exploit Kit in order to bypass the EMET and deliver the TeslaCrypt ransomware. The attack works against Windows 7 running EMET 5.5, that is the latest version of the Microsoft security tool.

FireEye confirms that exploits kit are becoming even more sophisticated throughout the years, they are continuously improved to include code for the exploitation of zero-day flaws and to implement effective evasion techniques.

The experts suggest the adoption of a robust vulnerability management program in order to prevent attacks leveraging on such kind of threat. Keep your software up to date and adopt a proper security posture in your organization.

“Although there are no quick solutions for the DEP, EAF, and EAF+ evasion techniques, organizations can mitigate this threat through a robust vulnerability management program for end user systems, which includes the installation of security updates for third party software.” closes FireEye.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – EMET, Angler Exploit Kit)

[adrotate banner=”5″]

[adrotate banner=”13″]