Cybercriminals target Silverlight users with new exploit kit

An exploit for a known Silverlight vulnerability was added to the Angler Exploit Kit, researchers said

The creators of a Web-based attack tool called Angler Exploit Kit have added an exploit for a known vulnerability in Microsoft's Silverlight browser plug-in to the tool's arsenal.

Exploit kits are essentially malicious Web applications that check if visitors run outdated software on their computers and then exploit vulnerabilities in that software to install malware. They usually target popular applications that are accessible through browser plug-ins, such as Java, Flash Player and Adobe Reader.

The attacks launched by exploit kits are called drive-by download attacks and have become one of the main methods of distributing malware.

According to an independent malware researcher who uses the pseudonym Kafeine, aside from Java and Flash Player, Angler EK is now also targeting Silverlight, a runtime environment for rich Internet applications developed by Microsoft.

Angler EK appeared last month, shortly after the creator of the popular Blackhole exploit kit was arrested in Russia, and is being used by the cybercriminal gang behind the Reveton ransomware that impersonates law enforcement agencies and asks victims to pay non-existent fines.

Before switching to Angler, the Reveton gang used Cool Exploit Kit, a more high-end version of Blackhole, Kafeine said in a blog post.

Starting Thursday, Angler includes an exploit for a remote code execution vulnerability in Silverlight 5 that's known as CVE-2013-0074 and was patched by Microsoft in March, Kafeine said.

According to Timo Hirvonen, a senior researcher at antivirus company F-Secure, it's unusual for authors of exploit kits to target Silverlight. "I do not remember seeing exploit kits using Silverlight exploits before," he said via email.

It's not clear how many users have Silverlight installed on their computers, but their number is likely to be in the tens of millions.

Most Netflix users need Silverlight, and there are more than 40 million Netflix subscribers, so there are enough potential targets to make a Silverlight exploit attractive, Hirvonen said.

Angler EK loads the Silverlight exploit only if the Java or Flash Player versions installed on the computer are not vulnerable, according to Hirvonen. He believes the Silverlight exploit was added to Angler now because exploit code for CVE-2013-0074 was recently made public on the Packet Storm security website and cybercriminals are frequently reusing publicly available exploits.

Silverlight users should make sure they have all the patches available for the software installed. Silverlight security patches are normally distributed through the Windows Update mechanism.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityAdobe Systemsf-secureExploits / vulnerabilitiesmalware

More about F-SecureMicrosoftNetflix

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts