The security researcher Kafeine confirmed that the authors of the Angler EK have integrated the exploit for a recently patched Microsoft Silverlight vulnerability.
RansomwareÂ isÂ becoming one of the most dreaded cyber threats for netizens, security experts noticed a surge in the number of cyber attacks aimed to spread malware likeÂ CryptowallÂ andÂ TeslaCrypt. Exploit kits like the Nuclear EK and the Angler EK are the privileged vectors to serve this specific family of malware, cyber criminals constantly improve their code in order to compromise the largest possible number of victims.
The security expertÂ KafeineÂ has recentlyÂ discoveredÂ thatÂ the authors of theÂ Angler EK have added the code of aÂ Silverlight exploit leveraging on theÂ CVE-2016-0034Â vulnerability.
The flaw was fixed by Microsoft in JanuaryÂ with theÂ MS16-006 critical bulletin, anÂ attackerÂ can exploit it for remote code execution.Â The Silverlight flaw discovered by the experts in Kaspersky Lab asÂ a resultÂ of an investigation on theÂ Hacking TeamÂ arsenalÂ disclosed in July 2015.
According to Microsoft, the remote code execution vulnerability can be exploited by an attacker that set up a website to host a specially crafted Silverlight application.
When Microsoft users will visit the bogus website, the exploit will allowÂ an attackerÂ to obtainÂ the same permissions as the victim.
On February 18, 2016,Â KafeineÂ noticed that the author behind Angler had added code for the Silverlight exploit, according to the expert the integration was completed on February 22.
Anton Ivanov, a senior malware researcher at Kaspersky confirmed that an exploit for the Silverlight exploit has been integrated to the Angler EK.
KafeineÂ explained that the CVE-2016-003Â exploit has been used to spread a variant of the TeslaCrypt ransomware, the attacksÂ worksÂ only with Silverlight version previous the current one, Silverlight 5.1.41212.0.
The experts atÂ Ars TechnicaÂ who analyzed theÂ HAckingÂ Teamâ€™sÂ leaked emailsÂ noticed communications between a Russian developer named Vitaliy Toropov and the staff of the Hacking Team.
The man soldÂ an Adobe Flash Player exploit to the Hacking Team for $45,000 in 2013 and alsoÂ offeredÂ a Silverlight exploit.
â€śNow your discount on the next buy is -5k and -10k is for a third bug.Â I recommend you the fresh 0day for iOS 7/OS X Safari or my old Silverlight exploit which was written 2.5 years ago and has all chances to survive furtherÂ in next years as well. â€ť Toropov wrote to Hacking Team member Giancarlo Russo.
Experts at Kaspersky started analyzing Toropovâ€™s exploits, including aÂ Silverlight Microsoft Silverlight Invalid Typecast / Memory DisclosureÂ that was dated back 2013 and that he had published.
Kaspersky issued a YARA rule to detect the exploit in the wild, and on November 25th, the company detected the Toropovâ€™s exploit on a userâ€™s machine. Later another sample of the exploit was uploaded from Laos to aÂ multiscannerÂ service.
â€śAfter implementing the detection, we waited, hoping that an APT group would use it. Since Vitaliy Toropov was offering it to Hacking Team, we also assumed that he sold it to other buyers, and what good is a zero-day if you donâ€™t use it? Unfortunately, for several months, nothing happened. We had already forgotten about this until late November 2015.â€ť Kaspersky researchers wrote in aÂ blog post. â€śOn November 25th, one of our generic detections for Toropovâ€™s 2013 Silverlight exploit triggered for one of our users. Hours later, a sample was also uploaded to aÂ multiscannerÂ service from Lao Peopleâ€™s Democratic Republic (Laos).â€ť
The analysis of the exploit revealed that the exploit was compiled on July 21, 2015, after the Hacking Team data was leaked online. Kaspersky immediately reported the existence of the exploit to Microsoft.
Itâ€™s unclear if this Silverlight exploit is the same offered by Toropov in 2013,
â€śOne of the biggest questions we haveÂ isÂ whether this is Vitaliy Toropovâ€™s Silverlight zero-day which he tried to sell to Hacking Team. Or is it a different one? Several things make us think itâ€™s one of his exploits, such as the custom error strings. Of course, there is no way to be sure and there might be several Silverlight exploits out there. One thing is forÂ sureÂ though â€“ the world is a bit safer with the discovery and patching of this one.â€ť wrote Kaspersky researchers.