The Purple Fox exploit kit (EK) has added two new exploits targeting critical- and high-severity Microsoft vulnerabilities to its bag of tricks – and researchers say they expect more attacks to be added in the future.
The Purple Fox EK was previously analyzed in September, when researchers said that it appears to have been built to replace the Rig EK in the distribution chain of Purple Fox malware, which is a trojan/rootkit. The latest revision to the exploit kit has added attacks against flaws tracked as CVE-2020-0674 and CVE-2019-1458, which were first disclosed at the end of 2019 and early 2020. Purple Fox previously used exploits targeting older Microsoft flaws, including ones tracked as CVE-2018-8120 and CVE-2015-1701.
“This tells us that the authors of Purple Fox are staying up to date on viable exploitable vulnerabilities and updating when they become available,” said researchers with Proofpoint in a Monday analysis. “It’s reasonable to expect that they will continue to update as new vulnerabilities are discovered.”
CVE-2020-0674 is a critical scripting engine memory corruption vulnerability in Internet Explorer, which was disclosed by Microsoft in a January 2020 out-of-band security advisory. The flaw could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user – meaning that an adversary could gain the same user rights as the current user. The flaw was later fixed as part of the February 2020 Patch Tuesday release. Since then, further analysis of the flaw has been published and proof-of-concept (PoC) code has been released, said researchers.
CVE-2019-1458 meanwhile is a high-severity elevation-of-privilege vulnerability in Win32k, which has a zero-day exploit circulating in the wild (used in attacks including Operation WizardOpium). The exploit allows attackers to gain higher privileges on the attacked machine and avoid protection mechanisms in the Google Chrome browser, researchers said. The flaw, which has a CVSS score of 7.8 out of 10, was fixed by Microsoft as part of its December Patch Tuesday release.
Purple Fox
Researchers discovered a malvertising campaign in late June that utilized the Purple Fox EK, successfully exploiting Internet Explorer 11 via CVE-2020-0674 on Windows 10. The exploit used for CVE-2020-0674 targets Internet Explorer’s usage of jscript.dll, a library required for Windows to operate. At the start of the exploit process, the malicious script attempts to leak an address from the RegExp implementation within jscript.dll.
With that leaked address, the malicious JavaScript code then searches for the PE header of jscript.dll, and then uses that header to locate an import descriptor for kernel32.dll. That contains the process and memory manipulation functions required for the EK to load the actual shellcode.
“In particular, the function GetModuleHandleA is used to obtain the running module handle,” said researchers. “This handle is used along with GetProcAddress to locate VirtualProtect, which is in turn used to enable ‘read, write, execute’ (RWX) permissions on the shellcode. Finally, the shellcode is triggered by calling an overwritten implementation of RegExp::test.”
The shellcode then locates WinExec to create a new process, which begins the actual execution of the malware.
EK Future
While exploit kits are not as popular as they were a few years ago, researchers stress that they are still part of the threat landscape, with EKs like Fallout and Rig continually retooling.
“One thing that hasn’t changed regarding exploit kits is the way in which exploit-kit authors regularly update to include new attacks against newly discovered vulnerabilities,” researchers said.
By building their own EK for distribution, the authors of the Purple Fox malware have been able to save money by no longer paying for the Rig EK. This shows that the attackers behind the Purple Fox malware are taking a “professional approach” by looking to save money and keep their product current, researchers said.
“The fact that the authors of the Purple Fox malware have stopped using the RIG EK and moved to build their own EK to distribute their malware reminds us that malware is a business,” they said. “In essence, the authors behind the Purple Fox malware decided to bring development ‘in-house’ to reduce costs, just like many legitimate businesses do. Bringing the distribution mechanism ‘in-house’ also enables greater control over what the EK actually loads.”
BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.