The Angler Exploit Kit contains some new exploits that are evading Microsoft's Enhanced Mitigation Experience Toolkit (EMET) and attacking machines running Windows 7.
FireEye researchers described in a blog the new exploits as “fairly sophisticated” in their ability to evade EMET and then attack Flash Player and Silverlight injecting TeslaCrypt ransomware. FireEye only tested the exploit against Win 7.
“These exploits do not utilize the usual return oriented programming to evade DEP. Data Execution Prevention (DEP) is a mitigation developed to prevent the execution of code in certain parts of memory," the FireEye team wrote. "The Angler EK uses exploits that do not utilize common return oriented programming (ROP) techniques to evade DEP. Instead, they use Flash.ocx and Coreclr.dll's inbuilt routines to call VirtualProtect and VirtualAlloc, respectively, with PAGE_EXECUTE_READWRITE, thus evading DEP and evading return address validation-based heuristics.”
TeslaCrypt is still used in this attack despite its master key being made public last month.