Angler exploit kit bypassing EMET, delivers TeslaCrypt

Exploits in the kit are sidestepping ROP, as well as EAF / EAF+

microsoft logo
Credit: Reuters/Pichi Chuang

Researchers at FireEye have discovered exploits targeting Flash and Silverlight in the Angler exploit kit, which are bypassing Microsoft's system hardening Enhanced Mitigation Experience Toolkit (EMET).

At present, the bypasses have only been confirmed on Windows 7, but the fear is that they could be adopted for the rest of the popular market in short order.

EMET is Microsoft's answer to as attacks that rely on Address Space Layout Randomization (ASLR) or Return Oriented Programming (ROP) bypasses in order to function.

In fact, EMET stops many exploit kit attempts that have been observed in the wild, which is why it's highly recommended as part of a layered defense plan.

Researchers have discovered vulnerabilities in the past that allowed them to bypass EMET defenses, but this is the first time such measures have been used by an exploit kit, FireEye says.

Angler is using exploits for Adobe Flash and Microsoft's Silverlight to bypass EMET, but they're not using ROP to evade data execution checks as observed in the past. Instead, the exploits are using Flash.ocx and Coreclr.dll's inbound routines to call VirtualProtect and VirtualAlloc.

Doing so enables Angler to evade data execution mitigations in EMET and return address validation-based heuristics.

In addition to bypassing ROP and data execution defenses, Angler is also bypassing Export Address Table Filtering (EAF) and EAF+. Successful attacks will result in TeslaCrypt being delivered.

"The Angler Exploit Kit is already the preferred weapon of hackers to deliver their malware," Michael Gorelik, VP of R&D at Morphisec, in a statement sent to Salted Hash.

"We predict that with this vulnerability, the prominence of Angler will further increase. This time the payload was TeslaCrypt Ransomware, but there is no limitation to what payload can be delivered."

Gorelik goes on to say that based on the details released by FireEye, it won't take long before these bypasses will work on Microsoft Windows 8, 8.1 and 10.

"Attackers choose the easier targets, but I foresee that the same web attacks with light modification will exist in more advanced OS's - and not only in browsers, but also in documents containing third party plug-ins like Flash soon."

Organizations have few options when it comes to this attack if they're on Windows 7. Removing ActiveX works, but Gorelik says it won't stop document-based attacks though Flash. Patching is the other major defense, but that's easier said than done, because enterprises have a hard time keeping Flash patched.

For those hit by TeslaCrypt, there is a decryption tool available. TeslaCrypt halted operations on development in May.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.