Angler exploit kit starts wielding Silverlight exploits

“Silverlight exploits are the drive-by flavor of the month,” claim Cisco researchers. “Exploit Kit owners are adding Silverlight to their update releases, and since April 23rd we have observed substantial traffic (often from malvertising) being driven to Angler instances partially using Silverlight exploits.”

Vulnerabilities in Adobe Flash and Oracle Java have long been preferred targets of exploit kit developers, but as those two firms have been increasingly improving their patching efforts, the malware developers have realized that Silverlight users make also make good potential targets.

Silverlight, the framework for writing and running rich Internet applications that Microsoft created as an alternative to Adobe’s Flash, has not, so far, surpassed the latter when it comes to user numbers. Still, it has been used to provide video streaming for many high profile events and is currently used by popular video streaming service Netflix.

Cisco threat researcher Levi Gundert shared some details about a recent Angler campaign that was aimed at exploiting specifically Flash and Silverlight vulnerabilities.

It started, predictably, with malicious ads being served on several high profile (but currently unnamed) websites. The ads would redirect users through a series of websites, and finally land them on sites hosting the Angler EK (click on the screenshot to enlarge it):

The javascript served by the exploit kit would load a specially crafted, encrypted Silverlight file that would exploit a memory disclosure vulnerability in the public WritableBitmap class (CVE-2013-3896) and drop the malicious payload – in this case, a Trojan that connects to a remote host located in Brazil.

Exploit packs bring a lot of money to their owners, whether they are bought or simply rented by attackers. In the wake of the arrest of the creator of the infamous Blackhole exploit kit, other exploit kit makers are eager to keep the market share they have gained with Blackhole’s downfall.

They can be expected to diversify the exploits used, and add some for Silverlight vulnerabilities.

“Silverlight exploits are also ideal because Silverlight continues to gain rich Internet application market share, perhaps surpassing Java, and Microsoft’s life cycle schedule suggests Silverlight 5 will be supported through October, 2021,” noted Gundert.

Users cannot hope to avoid malicious ads forever, but they can keep themselves reasonably safe by always keeping their software updated.

Don't miss