Angler Exploit Kit Evading EMET

We recently encountered some exploits from Angler Exploit Kit (EK)
that are completely evading Microsoft’s Enhanced Mitigation Experience
Toolkit (EMET). This is something we are seeing for the first time in
the wild, and we only observed it affecting systems running Windows 7.

Angler EK uses complex multi-layered code obfuscation and leverages
multiple exploits, as seen in Figure 1 and Figure 2. These
capabilities make Angler EK one of the more sophisticated exploit kits
in use at this time.

Figure 1: An excerpt of obfuscated javascript
implemented by Angler EK is provided

Figure 2: Angler JavaScript Obfuscation

Within the deobfuscated JavaScript, which an attacker might inject
into a webpage, we found that objects were being created for Flash
(Figure 3) and Silverlight (Figure 4) to exploit vulnerabilities in
those plugins.


Figure 3: Flash Object usage in deobfuscated content


Figure 4: Silverlight Object usage in
deobfuscated content

While exploiting Flash and other third party frameworks is common
practice, we identified that Angler EK has implemented exploits that
are successfully evading EMET.


Evasion:

EMET consists of many exploit mitigations that thwart modern exploit
kit attempts. These exploit mitigations include:

  1. ASR
  2. EAF
  3. EAF+
  4. Caller Check
  5. SimExecFlow
  6. StackPivot
  7. MemProt

Modern exploit kits may contain VBScript, Flash, Silverlight and
even Internet Explorer exploits. Out of these, VBScript exploits are
mitigated by ASR check and there is no evasion for that as of now,
since EMET simply restricts vbscript.dll from being loaded.

The ability of Angler EK to evade EMET mitigations and successfully
exploit Flash and Silverlight is fairly sophisticated in our opinion.
These exploits do not utilize the usual return oriented programming to
evade DEP. Data Execution Prevention (DEP) is a mitigation developed
to prevent the execution of code in certain parts of memory. The
Angler EK uses exploits that do not utilize common return oriented
programming (ROP) techniques to evade DEP. Instead, they use Flash.ocx
and Coreclr.dll’s inbuilt routines to call VirtualProtect and
VirtualAlloc, respectively, with PAGE_EXECUTE_READWRITE, thus evading
DEP and evading return address validation-based heuristics.

DEP Evasion:

As seen in Figure 5, the Silverlight exploit uses coreclr.dll’s
routines to evade DEP before shellcode is executed.

Figure 5: VirtualAlloc stub in coreclr.dll,
helps mitigate DEP without ROP

The Flash exploit uses Flash.ocx’s routines to call VirtualProtect
for DEP evasion before shellcode is executed, as seen in Figure 6. The
same routine is then used to jump to shellcode.

Figure 6: flash.ocx

Since return address validation heuristics are evaded by utilizing
these inbuilt functions from within ActionScript and Silverlight
Engine, ROP checks by EMET’s DEP capability are not effective. EMET
provides other protections, however, which Angler EK is also evading.
Export Address Table Filtering (EAF) and EAF+ are two capabilities
that seek to protect the contents of memory and prevent exploit code
from identifying where things are loaded.

The following is the working chain of the payload after successfully
evading DEP mitigations. Note that the APIs will differ for both
fileless and process oriented infections. However the evasion code was
found and executed in both the cases successfully evading EMET.

Evasion of EAF in Silverlight Exploit:

As we can see in Figure 7, Silverlight JIT code transfers control to shellcode.

Figure 7: Call Shellcode

After that, the shellcode queries User32 Import Address Table (IAT)
to pull API addresses, thus evading EAF. We can see the same in Figure 8.

Figure 8: Shellcode reads IAT

The memory address of the GetProcAddress function also gets resolved
by using IAT of user32.dll. After that, the APIs seen in Figure 9 get
resolved from GetProcAddress.

Figure 9: List of APIs

Once the API addresses are resolved, EMET has no validation on API
calls with regard to where they are coming from, thus resulting in the
successful execution of the malicious program.

Note that Silverlight exploits are not subjected to EAF+ because
“coreclr.dll” and other required dlls are not present in the default
EMET configuration.

Evasion of EAF+ in Flash exploit:

  1. Flash uses arbitrary read and write to read memory and finds
    base address of “flash.ocx”.
  2. It finds Import Directory
    Table of flash.ocx and loops through ModuleName until it reaches
    “kernel32.dll”.
  3. Reads the content of RvaImportLookupTable and
    RvaImportAddressTable, to locate the APIs that will be useful later
    along with VirtualAlloc, which will be used in first stage.

After identifying the required addresses, ActionScript code fills
those values in already existing buffer of shellcode, performs ROPless
VirtualProtect on the shellcode region to evade the DEP, and then
transfers the control to the malicious shellcode.

As we can see in Figure 10, the first stage shellcode will call
VirtualAlloc and copy the second stage shellcode to that memory,
transferring the control to that code.

Figure 10: Call VirtualAlloc and second stage shellcode

As seen in Figure 11, in the second stage shellcode, the API
resolution is again based on the IAT reading, which evades EAF.
Additionally, several calls to GetProcAddress are performed, which go
completely unscrutinized. As stated before, API calls have no
validation from EMET with regard to where they are coming from,
validation is only performed through EAT hardware breakpoints.

Figure 11: Shellcode reads IAT

Afterwards, the exploit shellcode launches the TeslaCrypt process
under normal exploitation context. In the case of fileless infections,
the shellcode does not launch anything, but changes the protection
constant of kernel32!ExitProcess to RWX for 5 bytes, then overwrites
it with an inline jump to ntdll!RtlExitUserThread. This ensures the
process stays alive even after closing the tab or closing the Internet
Explorer window. In either of above cases, the attacker has full
control over shellcode and it can pretty much execute anything it
wants without EMET doing anything.

In Figure 12 and Figure 13, we can see the successful execution of
TeslaCrypt ransomware with the latest version of EMET installed on the
system. Please note that we have tested this only on Windows 7.

Figure 12: EMET v5.5

Figure 13: EMET bypass – Successful execution of
TeslaCrypt binary

Conclusion

The level of sophistication in exploits kit has increased
significantly throughout the years. Where obfuscation and new zero
days were once the only additions in the development cycle, evasive
code has now been observed being embedded into the framework and shellcode.

Remediation guidance:

Although there are no quick solutions for the DEP, EAF, and EAF+
evasion techniques, organizations can mitigate this threat through a
robust vulnerability management program for end user systems, which
includes the installation of security updates for third party
software. Applications such as Adobe Flash, web browsers, and Oracle
Java should be patched routinely, prioritizing critical patches, or
removed if possible. Because the web browser plays an important role
in the infection process, disabling browser plugins for Flash or
Silverlight may also reduce the browser attack surface.

*** This is a Security Bloggers Network syndicated blog from Threat Research Blog authored by Threat Research Blog. Read the original post at: http://www.fireeye.com/blog/threat-research/2016/06/angler_exploit_kite.html