The developers of the Purple Fox Trojan/rootkit have created their own exploit kit to distribute their malware and have recently added exploits for two recently patched Microsoft vulnerabilities, according to cybersecurity firm Proofpoint.
The first exploit is for the high severity elevation of privilege vulnerability in the Win32k component of Windows, which was patched by Microsoft on October Patch Tuesday 2019. The second exploit is for the CVE-2020-0674 remote code execution flaw in the scripting engine of Internet Explorer that Microsoft patched on February 2020 Patch Tuesday.
An exploit kit is a tool that is loaded onto a website that probes for vulnerabilities when a user lands on a webpage. Exploit kits typically contain exploits for multiple vulnerabilities. If a visitor to the website has an unpatched vulnerability, the exploit is triggered and malware is silently downloaded. Exploit kits are loaded onto compromised websites or are hosted on attacker-controlled domains. Traffic to the exploit kits is generated through phishing emails and, most commonly, through redirects to the site from malicious adverts (malvertising).
Exploits kit developers often rent out their EKs to malware developers as a service, as was the case with the RIG EK, which was being used by the developers of the Purple Fox Trojan. Purple Fox was first identified by Trend Micro in September 2019.
Now researchers at Proofpoint have observed the Purple Fox Trojan being delivered by a new exploit kit. It appears that the malware developers have created their own exploit kit, rather than having to pay to use the Rig EK. Since the malware developers have gone to the trouble of creating their own exploit kit to increase profits, it is very likely that further exploits will be added to the Purple Fox EK in the future. Traffic to the exploit kit is being generated using a malvertising campaign that was identified by Proofpoint in June.
“In essence, the authors behind the Purple Fox malware decided to bring development ‘in-house’ to reduce costs, just like many legitimate businesses do. Bringing the distribution mechanism ‘in-house’ also enables greater control over what the EK actually loads,” explained Proofpoint.
Exploit kits were once hugely popular tools for delivering malware, although EK activity is now at a tiny fraction of the activity in their heyday in 2015/2016. Even though activity is now at a relatively low level, EKs still pose a threat. They are often updated to include new stable exploits for recently patched vulnerabilities and take advantage of users who do not regularly apply patches.
Web filtering solutions can offer protection against exploit kits by preventing end users from visiting websites known to have been compromised, but by far the best defense is to ensure that patches are applied promptly. If a user is directed to a website hosting an exploit kit and their device is fully patched, they will be fully protected. The problem is many businesses are not up to date on their patching.