Recently was analyzing landing page of Angler and found a new anti-debugging check that the exploit kit authors have added.
The authors of the kit have added check to identify if 'Developer Tools' is opened while loading the kit's landing page. Based on this information they set couple of variables. These variables are later checked and the exploit kit continues to deliver the exploit(s) or bails out.
These checks works well for IE10 and IE11.
Angler was also seen to bail out without serving any exploit(s) by verifying the environment it is running in.
The authors of the kit have added check to identify if 'Developer Tools' is opened while loading the kit's landing page. Based on this information they set couple of variables. These variables are later checked and the exploit kit continues to deliver the exploit(s) or bails out.
These checks works well for IE10 and IE11.
Angler was also seen to bail out without serving any exploit(s) by verifying the environment it is running in.