Angler EK Escapes Microsoft’s EMET Security Toolkit

Security researchers from FireEye claim that they have found Angler exploit kit installations which are capable of evading some of the security protections provided by the Microsoft EMET toolkit on Windows 7.

Enhanced Mitigation Experience Toolkit (EMET) is a less known security product provided by Microsoft. The main purpose of EMET is to add another extra layer of security on top of Windows systems.

This toolkit is not a standalone antivirus product due to the fact that it will not actively look for malware, but put up serious defenses whenever malware tries to exploit vulnerable components instead.

By this moment, security experts have discovered a few ways to bypass EMET’s defenses, however, none of these have been used in real-world attacks yet.

Over the past weeks, FireEye has come up over a few Angler exploit kit installations which can bypass EMET’s protections on Windows 7.

According to security researchers, the Angler EK is deploying two exploits, one for Flash and one for Silverlight. The two exploits make two calls to the aforementioned plugins and run their code via a protected memory slot that allows them to deliver the malicious payload regardless of EMET’s DEP (DataExecution Mitigation), EAF (Export Address Table Access Filtering), and EAF+ mitigations.

For the aforementioned campaign, the hackers used Angler to bypass EMET and install the TeslaCrypt ransomware. These exploits even worked on EMET’s latest 5.5 version.

The level of sophistication in exploits kit has increased significantly throughout the years,” FireEye’s Raghav Pande and Amit Malik stated.

Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode.”

In February, this year, Pande and Malik discovered a method to use EMET’s own security protections to disable itself.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.