Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Purple Fox Malware Targets More Vulnerabilities

Proofpoint Says Gang Upgraded Exploit Kit
Purple Fox Malware Targets More Vulnerabilities
(Photo: TweTwe via Pixabay/CC)

The developers behind the Purple Fox fileless downloader malware recently upgraded their operation and are now targeting two new vulnerabilities to gain access to networks, according to a report by security firm Proofpoint.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Purple Fox victimized 30,000 users in 2018 alone, according to an earlier report by TrendMicro.

The Purple Fox gang recently built a new exploit kit, given the eponymous name Purple Fox, replacing the RIG exploit kit that it previously used to distribute the malware. This move enables the gang to eliminate the cost of buying an off-the-shelf kit, according to the new Proofpoint report.

Plus, Purple Fox is now exploiting two additional vulnerabilities. The first, tracked as CVE-2020-0674, is a scripting engine memory corruption vulnerability in Internet Explorer that could allow attackers to take control of the system and remotely execute code, according to Proofpoint. The second flaw, CVE-2019-1458, is a local privilege elevation vulnerability in certain versions of Windows.

Microsoft issued patches last year for each of these bugs, according to the report.

"As exploit kits have been waning, the Purple Fox exploit kit continues to update and stay relevant with new exploits," Sherrod DeGrippo, senior director of threat research at Proofpoint, tells Information Security Media Group.

Malware Methods

"The goal of these attacks is to successfully exploit a vulnerable target so that they can run PowerShell in a way that downloads additional malware," DeGrippo says. Once deployed, the Purple Fox malware ends up staging a rootkit to maintain persistence, he adds.

Purple Fox has been exploiting the two additional vulnerabilities since at least mid-June, DeGrippo notes.

In one incident observed by the researchers, attackers took advantage of CVE-2020-0674 to launch a malvertising attack by utilizing Internet Explorer’s usage of jscript.dll, a file system that allows Windows to operate. The malicious script tries to leak an address from the regular expression implementation within jscript.dll, according to Proofpoint.

The malicious JavaScript uses those leaked addresses to search for the Portable Executable header of jscript.dll, which is then used to locate an import descriptor containing the process and memory manipulation function required to load the actual shellcode, the report says.

"Once the shellcode is triggered, it enumerates loaded modules from the [Process Environment Block] to locate WinExec for creating a new process,” the report says, adding that the new process begins the execution of the malware.

Distributing Malware

Purple Fox is primarily used to distribute other types of malware, such as information stealers, cryptominers, ransomware and Trojans, which are owned and operated by the threat actor developing the kit; it’s not sold for use by others, DeGrippo says.

The switch to an in-house exploit kit and the targeting of two new vulnerabilities shows that the creators of Purple Fox are “making decisions based on cost saving and moving quickly to adjust to new developments that can enable them to expand their market," DeGrippo says.

About the Author

Ishita Chigilli Palli

Ishita Chigilli Palli

Senior Correspondent, Global News Desk

As senior correspondent for Information Security Media Group's global news desk, Ishita covers news worldwide. She previously worked at Thomson Reuters, where she specialized in reporting breaking news stories on a variety of topics.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.