14 DAY TRIAL // FireEye security researchers say they've found Angler exploit kit installations capable of evading some of the security protections provided by the Microsoft EMET toolkit on Windows 7.
EMET stands for Enhanced Mitigation Experience Toolkit and is a lesser known security product provided by Microsoft that was designed to add another extra layer of security on top of Windows systems.
The toolkit is not a standalone antivirus product because it will not actively look for malware, but it will put up serious defenses whenever malware tries to exploit vulnerable components.
Until now, security researchers have discovered a few ways to bypass EMET's defenses, but none have been used in real-world attacks.
Bypass methods work on EMET 5.5 on Windows 7
According to FireEye, in the past weeks, the company has come up over a few Angler exploit kit installations that can bypass EMET's protections on Windows 7.
Researchers claim that the Angler EK is deploying two exploits, one for Flash and one for Silverlight. These two exploits make two calls to the aforementioned plugins and run their code via a protected memory slot that allows them to deliver the malicious payload regardless of EMET's DEP (Data Execution Mitigation), EAF (Export Address Table Access Filtering), and EAF+ mitigations.
For this particular campaign, the crooks used Angler to bypass EMET and install the TeslaCrypt ransomware. These exploits even worked on EMET's latest 5.5 version.
"The level of sophistication in exploits kit has increased significantly throughout the years," FireEye's Raghav Pande and Amit Malik noted. "Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode."
Back in February, the same FireEye team discovered a method to use EMET's own security protections to disable itself.