Attacks based on a Microsoft Silverlight vulnerability have been discovered packaged away in the Angler exploit kit which is used worldwide to compromise computer systems.
The vulnerability, CVE-2016-0034, is a rare example of a vulnerability impacting Microsoft's Silverlight technology. Also assigned the name MS16-006, the Silverlight vulnerability affects both Windows and Mac systems and allows attackers to hijack a system if a user is logged in as an administrator.
Silverlight is an application and Web browser plugin which is a rival to Adobe Flash and used as a means to view content-rich media and animations on the Internet. Silverlight is compatible with major operating systems and browsers including Mozilla Firefox, Google Chrome and Apple Safari.
The Silverlight exploit was first spotted by Kaspersky after private exploit seller Hacking Team suffered a data breach which exposed a number of unknown vulnerabilities affecting popular software including Microsoft and Adobe products.
In January, Kaspersky Lab researcher Brian Bartholomew commented:
"It's a big deal; Silverlight vulnerabilities don's come around that often. Exploitation of the zero-day itself is fairly technical, but once a proof-of-concept falls into the hands of someone who knows what they're doing and reverse engineers the patch, it's not that difficult to produce a weaponized version of it."
The Angler exploit kit has increased in popularity following the death of Blackhole. The kit has been recorded on thousands of landing pages online, lying in wait until a victim clicks on a malicious link to these pages and unwittingly downloads the malware package.
Angler uses a variety of techniques to work out which attack is most likely to be successful to compromise a system, including anti-sandbox checks and poking around for browser vulnerabilities.
On 18 February this year, Kafeine realized the landing page of Angler had been tweaked to include a piece of code linked to Silverlight. If Silverlight is installed on an unpatched computer belonging to a potential victim who has visited a page containing the exploit kit, then a call is sent to drop malware which exploits the security flaw.
The malware in question that the Angler exploit kit drops is TeslaCrypt, which is a particularly nasty strain of ransomware. This family of malware enters systems through vulnerable software before locking systems and forcing victims to pay a ransom in virtual currency to retrieve access to their files.