Angler exploit kit bypasses EMET’s defenses

The infamous Angler exploit kit is now capable of bypassing the protections offered by Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), FireEye researchers have discovered.

EMET is a utility created to stop certain classes of exploits that take advantage of vulnerabilities in various software:

EMET mitigations

The latest version of the toolkit is 5.5, which is the only one that works on Windows 10. The previous version (5.2) works on Windows 8, 7, Vista, and several versions of Windows Server.

According to FireEye’s findings, the Angler EK leverages exploits for Adobe Flash and Microsoft Silverlight vulnerabilities that are capable of foiling EMET, but so far the tactic has only been spotted working on systems running Windows 7.

“These exploits do not utilize the usual return oriented programming (ROP) to evade Data Execution Prevention (DEP),” the researchers explained.

“Instead, they use Flash.ocx and Coreclr.dll’s inbuilt routines to call VirtualProtect and VirtualAlloc, respectively, with PAGE_EXECUTE_READWRITE, thus evading DEP and evading return address validation-based heuristics.”

The exploits are also able to evade EMET’s Export Address Table Filtering (EAF) and EAF+ mitigations.

While EMET protections have been bypassed by researchers several times before, this is the first time that successful bypasses have been spotted in the wild.

“The level of sophistication in exploits kit has increased significantly throughout the years. Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode,” the researchers concluded, and advised organizations to mitigate this type of threat by implementing a robust vulnerability management program for end user systems.

“Applications such as Adobe Flash, web browsers, and Oracle Java should be patched routinely, prioritizing critical patches, or removed if possible. Because the web browser plays an important role in the infection process, disabling browser plugins for Flash or Silverlight may also reduce the browser attack surface,” they noted.