The Angler Exploit Kit (EK) has already established itself as one of the more sophisticated kits on the underground market. However, it is still finding ways to evolve. This week, EK was spotted dropping the latest iteration of CryptoWall ransomware and leveraging yet another previously patched Adobe vulnerability. The attack used common EK obfuscations (SecureSWF) and techniques. The exploit involves a race condition in the shader class in which the width/height of a shader object is asynchronously modified while starting a shader job will result in a memory corruption vulnerability. Angler uses this to execute arbitrary code and infect unpatched users’ systems. Once it is able to infect user systems, criminals can use that access to drop any number of payloads. Recently Angler was found to infect hosts with the CryptoWall ransomware. The malware has evolved and had several dropper features removed from its previous iteration, including multiple exploits and an anti-VM check to prevent it from running in virtual environment. The lack of any exploits in the dropper itself seems to indicate that the malware authors are focusing more on using exploit kits as an attack vector, since the exploit kit’s functionality could be used to gain privilege escalation on the system and this is now clearly being played out in Angler.
IT Security News
The information provided herein is on "as is" basis, without warranty of any kind.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street