New Microsoft Silverlight and Adobe Flash exploits that bypass Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) have found their way into an updated version of the Angler Exploit Kit.
EMET is a suite of freely available tools for Windows machines that mitigate memory-based attacks. The exploits, discovered by security firm FireEye, affect only Windows 7 machines–still used by 49 percent of Windows users.
“The ability of Angler EK to evade EMET mitigations and successfully exploit Flash and Silverlight is fairly sophisticated in our opinion,” wrote FireEye researchers on Monday in a blog explaining their discovery. Unlike previous EMET bypasses, these rely on unusual return-oriented programming (ROP) techniques to bypass Data Execution Prevention (DEP), a mitigation designed to prevent the execution of code in certain parts of the browser memory.
According to FireEye researchers the Angler authors use, “Flash.ocx and Coreclr.dll’s inbuilt routines to call VirtualProtect and VirtualAlloc, respectively, with PAGE_EXECUTE_READWRITE, thus evading DEP and evading return address validation-based heuristics.” In simple terms, attackers have tweaked Angler EK to sidestep Microsoft’s EMET security precautions by running code outside parts of the browser’s memory protected by DEP.
“The Silverlight exploit uses coreclr.dll’s routines to evade DEP before shellcode is executed… The Flash exploit uses Flash.ocx’s routines to call VirtualProtect for DEP evasion before shellcode is executed,” researchers describe.
This gives attackers full control over shellcode, allowing them to execute nearly anything it wants to without EMET stopping it, researchers said.
“The level of sophistication in exploits kit has increased significantly throughout the years. Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode,” wrote researchers.
In the case of Silverliight, attackers are able to pull this off by evading Export Address Table Filtering (EAF) and EAF+, which are both capabilities that seek to protect the contents of memory and prevent exploit code from identifying where things are loaded. Once conditions are met, “EMET has no validation on API calls with regard to where they are coming from, thus resulting in the successful execution of the malicious program,” FireEye wrote.
Similarly with Adobe Flash, according to FireEye, Angler evades the Export Address Table Filtering. In the case of the Flash exploit, Angler authors use an alternative means for finding recourses outside the context of EAF. This complex multitier chain of circumventions to evade the DEP allows the exploit to gain a foothold on the targeted system and transfers the control to the malicious shellcode to the attacker.
In one Angler EK sample, FireEye observed a fileless infection where the shellcode does not launch, rather changes the “protection constant of kernel32!ExitProcess to RWX for 5 bytes, then overwrites it with an inline jump to ntdll!RtlExitUserThread.” The results can be extremely dangerous, said FireEye. “This ensures the process stays alive even after closing the tab or closing the Internet Explorer window. In either of above cases, the attacker has full control over shellcode and it can pretty much execute anything it wants without EMET doing anything,” FireEye wrote.
According to FireEye, successful payloads delivered via Angler include TeslaCrypt ransomware that last month became significantly less of a nuisance when the master decryption key was publicly released. It’s unclear what new payloads might be delivered via the Angler EK besides TeslaCrypt.