Microsoft has built a number of technical defenses against browser-based exploits in the last decade or so, including a specialized toolkit called EMET that’s designed to defeat advanced exploits. Attackers have now created a version of the notorious Angler exploit kit that can bypass EMET entirely and then install the nasty TeslaCrypt ransomware.
This advance in attackers’ tactics is an important one, as it moves them a step ahead of one of the more important pieces of defensive technology deployed by Windows users. EMET (Enhanced Mitigation Experience Toolkit) was developed by Microsoft several years ago to defend against exploitation techniques that use specific return-oriented programming techniques. The toolkit incorporates several anti-exploit technologies and security researchers over the years have developed some techniques for evading these technologies. But the new tactic identified recently by researchers at FireEye shows that some attackers can now bypass EMET completely on Windows 7 machines.
The Angler exploit kit is one of the more well-known and widely used kits in circulation and it typically includes exploits for a variety of targets, such as the major browsers, Adobe Flash, and Microsoft Silverlight. Attackers use those exploits to install various kinds of malware, depending upon their motivations, and in this case, the attackers are using it to install TeslaCrypt.
“The ability of Angler EK to evade EMET mitigations and successfully exploit Flash and Silverlight is fairly sophisticated in our opinion. These exploits do not utilize the usual return oriented programming to evade DEP,” FireEye says in its analysis of the new technique.
“Data Execution Prevention (DEP) is a mitigation developed to prevent the execution of code in certain parts of memory. The Angler EK uses exploits that do not utilize common return oriented programming (ROP) techniques to evade DEP. Instead, they use Flash.ocx and Coreclr.dll’s inbuilt routines to call VirtualProtect and VirtualAlloc, respectively, with PAGE_EXECUTE_READWRITE, thus evading DEP and evading return address validation-based heuristics.”
The version of Angler seen in this attack includes Flash and Silverlight exploits that use multi-stage shellcode and some novel tricks to get past the various anti-exploit defenses in the EMET toolkit. Once that’s accomplished, the shellcode installs TeslaCrypt, a nasty piece of ransomware.
“Afterwards, the exploit shellcode launches the TeslaCrypt process under normal exploitation context. In the case of fileless infections, the shellcode does not launch anything, but changes the protection constant of kernel32!ExitProcess to RWX for 5 bytes, then overwrites it with an inline jump to ntdll!RtlExitUserThread,” FireEye said.
“This ensures the process stays alive even after closing the tab or closing the Internet Explorer window. In either of above cases, the attacker has full control over shellcode and it can pretty much execute anything it wants without EMET doing anything.”
Microsoft updates EMET on a regular basis and in the past has been quick to address new bypasses of the toolkit. The company hasn’t said yet whether it will release an update to address this technique anytime soon.