Angler EK exploits recently patched IE bug to deliver ransomware
“If they haven’t already, Internet Explorer users would do well to implement the security update provided by Microsoft last month, as among the fixed vulnerability is one that is currently being exploited via the popular commercial Angler exploit kit.
The existence of the vulnerability in question (CVE-2015-2419) has been discovered when the attackers who breached Hacking Team leaked the stolen data.
An email in the leaked trove showed that an external researcher attempted to sell a proof-of-concept exploit for the bug to the company. Details in the email allowed Vectra researchers to find the bug and analyze it.
FireEye researchers were the ones who have sounded the alarm about the exploit being added to Angler, along with a new obfuscation technique for it.
“The landing page fetches a stub of keys and data necessary to run the exploit from the server each time it executes. The stub of information is only sent to victims that broadcast vulnerable browsers, and is protected with XTEA over a homebrew Diffie-Hellman,” they explained.
At the moment, Angler exploit kit is using the IE exploit to fling Cryptowall ransomware at unsuspecting victims. It can do so successfully because the vulnerability allows the attacker to gain the same user rights as the current user.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft explained.
FireEye researcher’s findings have been confirmed by malware researcher Kafeine.
“The exploitation of CVE-2015-2419 marks the second departure from Flash exploits for Angler (the first being the inclusion of CVE-2015-1671 in Silverlight),” the researchers commented. “This may be the result of Adobes recent exploit mitigations in Flash Player that prevent attackers from using Vector (and similar) objects to develop their control over corrupted Flash processes.””