The Angler Exploit Kit (EK) is throwing a new line in the cybercrime waters with the addition of an exploit for Adobe Flash Player, and the CryptoWall 3.0 ransomware as a payload.
FireEye explained that the attack uses common EK obfuscations (SecureSWF) and techniques. The exploit itself meanwhile involves a race condition in the shader class, in which asynchronously modifying the width/height of a shader object while starting a shader job will result in a memory corruption vulnerability. Angler uses this to execute arbitrary code and infect unpatched users’ systems.
Once it’s able to infect user systems, criminals can use that access to drop any number of payloads. Recently, Angler was seen to be infecting hosts with the CryptoWall 3.0 ransomware, in attacks that SANS found were using the same bitcoin address for the ransom payment.
The CryptoWall ransomware has evolved into a third-generation baddie, with a streamlined dropper and new functionality such as incorporating I2P anonymous network communication.
Uncovered in February, v. 3.0 has had several dropper features removed from its previous iteration, including multiple exploits and an anti-VM check to prevent it from running in virtual environment. The lack of any exploits in the dropper itself seems to indicate that the malware authors are focusing more on using exploit kits as an attack vector, since the exploit kit’s functionality could be used to gain privilege escalation on the system—and this is now clearly being played out in Angler.
CryptoWall 3.0 also acquires much of system information (like the computer name, main processor speed and type, and so on), and generates a global MD5 used as Victim ID. Much of this is sent back to the command and control server using anonymous networks. This includes adding support for the “invisible internet project,” known as I2P, which aims to improve the stealth of criminal communications using networks such as Tor and I2P.
Exploit kits (particularly Angler and Nuclear) regularly exploit recently patched Flash vulnerabilities. In this case, the CVE-2015-3090 was patched by Adobe in the middle of May, so users should upgrade as soon as possible.