‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell

Exploit kits may no longer be as prolific as it was back when their activities were detected in the millions, but their recurring activities in the first half of 2019 indicate that they won’t be going away any time soon. The Rig exploit kit, for instance, is known for delivering various payloads — such as downloader trojansransomwarecryptocurrency-mining malware, and information stealers — whose arrival and delivery techniques are also constantly fine-tuned.

The Purple Fox fileless downloader malware, which was reported to have at least affected 30,000 users last year, is a recent example. Also delivered by the Rig exploit kit, Purple Fox previously used the Nullsoft Scriptable Install System (NSIS) tool to retrieve and execute its payload. We’ve also previously seen Purple Fox downloading and executing cryptocurrency-mining malware.

This new iteration of Purple Fox that we came across, also being delivered by Rig, has a few new tricks up its sleeve. It retains its rootkit component by abusing publicly available code.

Read more…
Source: Trend Micro