The developers of the Purple Fox exploit kit (EK) have added two new exploits to their arsenal, including one for a vulnerability addressed in February this year.
Initially detailed in September 2018, the EK was designed for the distribution of the Purple Fox Trojan/Rootkit. Previously, the Trojan was being disseminated through the RIG EK, but its operators were likely looking into cutting down costs, Proofpoint’s security researchers note.
In recent distribution campaigns, the Purple Fox EK has been leveraging exploits targeting CVE-2020-0674 (a scripting engine memory corruption in Internet Explorer) and CVE-2019-1458 (a local privilege elevation in Windows), two vulnerabilities that Microsoft addressed in February 2020 and December 2019, respectively.
Before patches were released for these security bugs, however, both were observed being abused in attacks associated with the DarkHotel threat group, which is believed to be linked to the South Korean government. Last year, the threat actor also targeted a Chrome zero-day as part of Operation WizardOpium.
Purple Fox is believed to have affected tens of thousands of users, initially dropping crypto-miners onto compromised machines. Over time, however, it received several improvements, such as the addition of rootkit code and the recently added exploits.
Analysis of the infection chain has revealed the use of a script that first checks the operating system on the target machine to select the method for executing the next stage payload (via msiexec.exe).
It would also attempt to elevate privileges using exploits for the CVE-2018-8120 and CVE-2015-1701 vulnerabilities impacting the Win32k multiuser driver. Recent versions of the script also include an exploit for CVE-2019-1458, Proofpoint reveals.
Although not as prevalent as they used to be, exploit kits continue to be present on the threat landscape and they are also regularly updated with exploits for more recent vulnerabilities, to improve efficiency, something that Purple Fox EK developers are attempting as well.
The exploits added to the EK’s arsenal, however, target vulnerabilities that have been addressed via security updates months ago, which underlines the importance of patching computers in a timely manner.
“The fact that the authors of the Purple Fox malware have stopped using the RIG EK and moved to build their own EK to distribute their malware reminds us that malware is a business. In essence, the authors behind the Purple Fox malware decided to bring development ‘in-house’ to reduce costs, just like many legitimate businesses do. Bringing the distribution mechanism ‘in-house’ also enables greater control over what the EK actually loads,” Proofpoint also notes.
Related: New ‘Lord’ Exploit Kit Emerges