The operators behind Purple Fox exploit kit have added two new exploits targeting critical- and high-severity vulnerabilities (CVE-2020-0674 and CVE-2019-1458) in Microsoft’s products to their arsenal, according to a new report from Proofpoint.
Purple Fox EK has replaced the RIG exploit kit in the distribution chain of Purple Fox malware allowing the malware authors to distribute Purple Fox without having to pay for the Rig EK.
CVE-2020-0674 is a scripting engine memory corruption vulnerability in Internet Explorer, which has been disclosed by Microsoft in January 2020 and fixed as part of the February 2020 Patch Tuesday release. The vulnerability allows an attacker to execute arbitrary code in the context of the current user.
CVE-2019-1458 is a local privilege elevation (LPE) vulnerability that was used in Operation WizardOpium and fixed by Microsoft as part of the December 2019 Patch Tuesday release.
Researchers have observed a malvertising campaign in June this year that leveraged the Purple Fox EK, successfully exploiting Internet Explorer 11 via CVE-2020-0674 on Windows 10. The exploit used for CVE-2020-0674 targets Internet Explorer’s usage of jscript.dll, a library required for Windows to operate. At the start of the exploit process, the malicious script attempts to leak an address from the RegExp implementation within jscript.dll.
Using this information, the malicious JavaScript will search for the PE header of jscript.dll, which is then used to locate an import descriptor for kernel32.dll which contains the process and memory manipulation functions required to load the actual shellcode.
In previous campaigns the Purple Fox EK used exploits for CVE-2018-8120 and CVE-2015-1701 to gain admin privileges, but the latest version of the exploit kit also incorporates an exploit for CVE-2019-1458 for this purpose, the researchers said.
“In this latest revision to the Purple Fox EK, we see the authors adding attacks against both CVE-2020-0674 and CVE-2019-1458, two vulnerabilities that came out at the end of 2019 and early 2020. This tells us that the authors of Purple Fox are staying up to date on viable exploitable vulnerabilities and updating when they become available. It’s reasonable to expect that they will continue to update as new vulnerabilities are discovered,” Proofpoint concluded.