The cyber-criminals are continuously attempting to sharpen their malicious tools to increase the chances of a successful heist on victims’ systems. Purple Fox Exploit Kit (EK), first seen in 2019, has evolved dramatically in the past year, and very recently it has added several new exploits to target its victims.

Purple Fox EK and Microsoft exploits

According to the latest findings, the Purple Fox EK has added two new exploits, both of which were already patched a few months ago by Microsoft.
  • Last week, Proofpoint researchers identified that the EK can now target two Microsoft vulnerabilities (CVE-2020-0674 and CVE-2019-1458).
  • The first, CVE-2020-0674, is a memory corruption vulnerability in Internet Explorer that Microsoft had fixed in its February 2020 patch Tuesday update. The second one, CVE-2019-1458, is a local privilege elevation (LPE) flaw that Microsoft fixed in December 2019.
  • In late June, the attackers launched a malvertising campaign that used the Purple Fox EK, successfully exploiting Internet Explorer 11 on Windows 10 and Internet Explorer’s usage of jscript.dll (via CVE-2020-0674).

The DarkHotel APT connection

The vulnerability, CVE-2020-0674, is often linked to the DarkHotel APT group. Since at least January 2020, the DarkHotel APT (aka APT-C-06) has been exploiting this vulnerability in targeted campaigns.
  • In April, the DarkHotel group exploited two already patched vulnerabilities (CVE-2020-0674 and CVE-2019-1702) in Internet Explorer and Firefox browsers in targeted attacks in China and Japan.
  • In March, it was disclosed that the DarkHotel hackers had used the vulnerability (CVE-2020-0674) to target North Koreans and North Korea-focused professionals in 2019.

Evolution of Purple Fox EK

Purple Fox, first identified in 2018, was originally a backdoor Trojan.
  • In September 2019, Purple Fox authors replaced the RIG EK in the distribution chain and moved to build their own EK (dubbed Purple Fox EK) to distribute their malware.
  • Initially, Purple Fox EK  exploited a specific set of vulnerabilities, including CVE-2018-15982, CVE-2014-6332, CVE-2018-8174, CVE-2015-1701, and CVE-2018-8120. Gradually it evolved to include many new exploits as well.

Cyware Publisher