In September 2020, we published a blog describing how the PurpleFox Exploit Kit used Cloudflare services to maintain an infrastructure resilient to blocking and detection attempts. Since then, PurpleFox has been maintaining this strategy while at same time improving its attack chain by incorporating the latest public vulnerabilities into its arsenal.
Recently, we found that PurpleFox added a very old tactic to increase its delivering performance. This time PurpleFox EK is making use of WPAD domains to infect users. While a WPAD abuse attack is a technique that has been around for approximately 14 years, it still works. Initiatives to prevent this attack help, but they are not sufficient.
Source: Trend Micro