Malware

Watch out, Angler Exploit Kit is able to bypass Microsoft EMET defense

Security experts from FireEye have observed attacks leveraging on Angler EK to deliver exploits capable of evading the Microsoft EMET security Tool.

Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) is a free security tool designed by Microsoft to implement a supplemental security layer of defense against the exploitation of vulnerabilities affecting applications running on Windows Systems.

Over the time, security researchers have devised methods to bypass the EMET defense, and now according to experts from the FireEye firm a current version of the infamous Angler Exploit Kit is able to deliver Flash Player and Microsoft Silverlight exploits evading the security tool.

The exploits observed by FireEye leverage the routines built into the Flash Player plugin component Flash.ocx and the Silverlight component Coreclr.dll to invoke the VirtualProtect and VirtualAlloc memory management functions. In this way, the exploits are able to bypass both data execution prevention (DEP) mitigation the return address validation-based heuristics before executing shellcode.

“The ability of Angler EK to evade EMET mitigations and successfully exploit Flash and Silverlight is fairly sophisticated in our opinion. These exploits do not utilize the usual return oriented programming to evade DEP. Data Execution Prevention (DEP) is a mitigation developed to prevent the execution of code in certain parts of memory.” states the analysis published by FireEye. “The Angler EK uses exploits that do not utilize common return oriented programming (ROP) techniques to evade DEP. Instead, they use Flash.ocx and Coreclr.dll’s inbuilt routines to call VirtualProtect and VirtualAlloc, respectively, with PAGE_EXECUTE_READWRITE, thus evading DEP and evading return address validation-based heuristics.”

“The Flash exploit uses Flash.ocx’s routines to call VirtualProtect for DEP evasion before shellcode is executed”

“Since return address validation heuristics are evaded by utilizing these inbuilt functions from within ActionScript and Silverlight Engine, ROP checks by EMET’s DEP capability are not effective,” FireEye researchers explained

The researchers discovered that the Flash and Silverlight exploits used by a current version of the Angler Exploit Kit are able to bypass also the Address Table Filtering (EAF) and EAF+ mitigations implemented by the EMET to avoid attackers to understand in which portion of memory the code are loaded.

In the attacks observed by FireEye, crooks used this variant of the Angler Exploit Kit in order to bypass the EMET and deliver the TeslaCrypt ransomware. The attack works against Windows 7 running EMET 5.5, that is the latest version of the Microsoft security tool.

FireEye confirms that exploits kit are becoming even more sophisticated throughout the years, they are continuously improved to include code for the exploitation of zero-day flaws and to implement effective evasion techniques.

The experts suggest the adoption of a robust vulnerability management program in order to prevent attacks leveraging on such kind of threat. Keep your software up to date and adopt a proper security posture in your organization.

“Although there are no quick solutions for the DEP, EAF, and EAF+ evasion techniques, organizations can mitigate this threat through a robust vulnerability management program for end user systems, which includes the installation of security updates for third party software.” closes FireEye.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – EMET, Angler Exploit Kit)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

11 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

15 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

21 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

24 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

2 days ago

This website uses cookies.