Purple Fox Adds New Microsoft Exploits to its Arsenal

Purple Fox EK and Microsoft exploits

• Last week, Proofpoint researchers identified that the EK can now target two Microsoft vulnerabilities (CVE-2020-0674 and CVE-2019-1458).
• The first, CVE-2020-0674, is a memory corruption vulnerability in Internet Explorer that Microsoft had fixed in its February 2020 patch Tuesday update. The second one, CVE-2019-1458, is a local privilege elevation (LPE) flaw that Microsoft fixed in December 2019.
• In late June, the attackers launched a malvertising campaign that used the Purple Fox EK, successfully exploiting Internet Explorer 11 on Windows 10 and Internet Explorer’s usage of jscript.dll (via CVE-2020-0674).

The DarkHotel APT connection

• In April, the DarkHotel group exploited two already patched vulnerabilities (CVE-2020-0674 and CVE-2019-1702) in Internet Explorer and Firefox browsers in targeted attacks in China and Japan.
• In March, it was disclosed that the DarkHotel hackers had used the vulnerability (CVE-2020-0674) to target North Koreans and North Korea-focused professionals in 2019.

Evolution of Purple Fox EK

• In September 2019, Purple Fox authors replaced the RIG EK in the distribution chain and moved to build their own EK (dubbed Purple Fox EK) to distribute their malware.
• Initially, Purple Fox EK  exploited a specific set of vulnerabilities, including CVE-2018-15982, CVE-2014-6332, CVE-2018-8174, CVE-2015-1701, and CVE-2018-8120. Gradually it evolved to include many new exploits as well.