Security company Proofpoint has identified two new exploits coded into Purple Fox, an exploit kit that has evolved dramatically in the last year. The updates show that cyber-criminals are continuing to invest in infection tools to help get their malware onto victims’ systems even though exploit kits are declining as an attack technique, the company said.
An exploit kit is a tool used to deliver malware onto a victim’s device automatically via a website. It is an automated threat that uses compromised websites to drive up web traffic and scan for vulnerable browsers so that it can deliver its malware-based payload.
Exploit kits are the basis for drive-by downloads that infect a victim as soon as they visit a malicious site. They have often been sold as services to distribute malware, providing cyber-criminals with a conduit to infect victims’ machines, but according to Proofpoint their popularity has declined of late.
“Exploit Kits are not as prevalent as they were a few years ago. However, they are still part of the threat landscape,” explained the company. “One thing that hasn’t changed regarding exploit kits is the way in which exploit kit authors regularly update to include new attacks against newly discovered vulnerabilities.”
Purple Fox started out as a fileless downloader Trojan malware delivered by an exploit kit called Rig. According to a 2018 write-up by Qihoo 360 Technology, it had infected at least 30,000 users at the time. Trend Micro had spotted it downloading and executing cryptomining malware onto victims’ devices. Last year, it switched from the Nullsoft Scriptable Install System to Windows PowerShell as a means of retrieving and delivering various kinds of malware.
Now, according to Proofpoint, it has become an exploit kit in its own right, built to replace Rig. It has added two new exploits, both patched by Microsoft in the last few months.
The first, CVE-2019-1458, is a local privilege elevation mobility that Microsoft fixed in December last year. The second, CVE-2020-0674, is a bug in Internet Explorer that Microsoft fixed in its February 2020 patch Tuesday update.
“The fact that the authors of the Purple Fox malware have stopped using the RIG EK [exploit kit] and moved to build their own EK to distribute their malware reminds us that malware is a business,” Proofpoint said in its analysis. “In essence, the authors behind the Purple Fox malware decided to bring development ‘in-house’ to reduce costs, just like many legitimate businesses do.”