Purple Fox Malware Targets More VulnerabilitiesProofpoint Says Gang Upgraded Exploit Kit
The developers behind the Purple Fox fileless downloader malware recently upgraded their operation and are now targeting two new vulnerabilities to gain access to networks, according to a report by security firm Proofpoint.
Purple Fox victimized 30,000 users in 2018 alone, according to an earlier report by TrendMicro.
The Purple Fox gang recently built a new exploit kit, given the eponymous name Purple Fox, replacing the RIG exploit kit that it previously used to distribute the malware. This move enables the gang to eliminate the cost of buying an off-the-shelf kit, according to the new Proofpoint report.
Plus, Purple Fox is now exploiting two additional vulnerabilities. The first, tracked as CVE-2020-0674, is a scripting engine memory corruption vulnerability in Internet Explorer that could allow attackers to take control of the system and remotely execute code, according to Proofpoint. The second flaw, CVE-2019-1458, is a local privilege elevation vulnerability in certain versions of Windows.
Microsoft issued patches last year for each of these bugs, according to the report.
"As exploit kits have been waning, the Purple Fox exploit kit continues to update and stay relevant with new exploits," Sherrod DeGrippo, senior director of threat research at Proofpoint, tells Information Security Media Group.
"The goal of these attacks is to successfully exploit a vulnerable target so that they can run PowerShell in a way that downloads additional malware," DeGrippo says. Once deployed, the Purple Fox malware ends up staging a rootkit to maintain persistence, he adds.
Purple Fox has been exploiting the two additional vulnerabilities since at least mid-June, DeGrippo notes.
In one incident observed by the researchers, attackers took advantage of CVE-2020-0674 to launch a malvertising attack by utilizing Internet Explorer’s usage of jscript.dll, a file system that allows Windows to operate. The malicious script tries to leak an address from the regular expression implementation within jscript.dll, according to Proofpoint.
"Once the shellcode is triggered, it enumerates loaded modules from the [Process Environment Block] to locate WinExec for creating a new process,” the report says, adding that the new process begins the execution of the malware.
Purple Fox is primarily used to distribute other types of malware, such as information stealers, cryptominers, ransomware and Trojans, which are owned and operated by the threat actor developing the kit; it’s not sold for use by others, DeGrippo says.
The switch to an in-house exploit kit and the targeting of two new vulnerabilities shows that the creators of Purple Fox are “making decisions based on cost saving and moving quickly to adjust to new developments that can enable them to expand their market," DeGrippo says.