Introduction

The trojan known as Purple Fox was first discovered by 360 Total Security on September 25th 2018. At the time of publishing, the statistics they had gathered estimated that over thirty-thousand (30,000) users were affected by the malware. Since its debut, there have been a number of updates and additions to Purple Fox that have ensured it has remained notable in the threat landscape.   This report aims to provide an overview of everything currently known regarding Purple Fox and the various changes and additions to its functionality over time.

This report aims to provide an overview of everything known regarding Purple Fox and the various changes and additions to its functionality over time. 

1. First sighting of Purple Fox (2018-09-25)

2. Leveraging Powershell (2019-09-09)

3. Purple Fox Exploit Kit (2020-07-05)

4. New privilege escalation exploits (2020-10-19)

5. Spreading through SMB (2021-03-24)

6. CVE-2021-26411 (2021-04-14)

7. Purple Fox exploits WPAD (2021-07-01)

8. PrintNightmare vulnerabilities (2021-07-25)

9. FoxSocket Backdoor (2021-10-19)

10. SQL Server Crypto-mining (2021-12-13)

11. Dropping Purple Fox with fake Telegram Installer (2022-01-03)

First sighting of Purple Fox (2018-09-25)

The first reported instance of Purple Fox was in an analysis carried out by 360 Total Security (360 Total Security, 2018) examining a trojan that drops itself using an MSI installation package, and alters registry values to replace a legitimate Windows system file.

The initial stage of infection often relies on a third party Exploit Kit (EK) called RIG EK. Victims browse to compromised or malicious websites hosting the EK which then drops the malware onto the victims system. The initial dropper is an installation package created using Nullsoft Scriptable Install System (NSIS).

The built-in Windows installer msiexec.exe is leveraged to run the installation package retrieved from the website. The installation package in turn drops two files into the Windows directory: winupdate64.log, a malicious DLL that acts as a loader and sysupdate.log, the payload of the malware. 

The installer then changes the value of the registry key PendingFileRenameOperations, located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager. As a result of this change, when the system next boots the Windows Session Manager (smss.exe) will read the altered registry value and follow the instructions that have been added. This involves moving the Windows System Event Notification Service (SENS) module sens.dll to a new location, renamed as C:\Windows\AppPatch\Acpsens.dll. The winupdate64.log file is then moved from its original location and renamed as C:\Windows\System32\sens.dll. The sysupdate.log file is also renamed and relocated to the path  C:\Windows\AppPatch\Ke990129.xsl,  the file name potentially varying across variants of the malware.

The malicious DLL winupdate64.log, now renamed as sens.dll, is loaded in place of the original system file with system-level privileges and decrypts and executes the contents of the payload  (Ke990129.xsl/sysupdate.log), which consists of a DLL and a rootkit driver. 

The decrypted payload contents are saved to the System32 directory and then loaded into a spawned but suspended svchost.exe process. The driver is saved as C:\Windows\System32\dump_{random hex values}.sys while the DLL file is saved as C:\Windows\System32\Ms{random hex values}App.dll.  As final steps the malicious sens.dll is deleted and the original sens.dll is restored to its original name and location.   After infection, Purple Fox is often used to retrieve and deploy other types of malware, commonly cryptocurrency mining malware.

Indicators of Compromise

MITRE Techniques

Leveraging Powershell (2019-09-09)

Where Purple Fox previously relied on NSIS-compiled installers to drop and execute its components, Trend Micro have since analysed a new version of the malware which makes use of Powershell instead (Trend Micro, 2019). This allows Purple Fox the capability of fileless infection. Trend Micro also reported additional privilege escalation vulnerabilities being leveraged to increase the likelihood of a successful infection .

Once a user accesses a malicious web page hosting the RIG exploit kit the user is redirected to a malicious Powershell script, masquerading as a .jpg image file, which either directly downloads Purple Fox’s main component or attempts to escalate privileges. The following vulnerabilities can be exploited in order to execute the malicious Powershell script:

• A flash (.swf) file exploits CVE-2021-15982 leading to the execution of the malicious Powershell script.
• An .htm file that exploits CVE-2014-6332 leading to the execution of a malicious Powershell script.
• An .htm file that exploits CVE-2018-8174 which redirects to a malicious HTML application (.hta) file, which then executes the malicious Powershell script.

If the current user does not have administrator privileges, Powersploit modules will be used in an attempt to gain elevated privileges. These Powersploit modules specifically target flaws in the Win32k driver, CVE-2015-1701 and CVE-2018-8120.

Once the script has gained administrative privileges it then proceeds to retrieve and execute a malicious Microsoft Installer (.msi) package, also masquerading as an image file, by leveraging the application programming interface (API) of msi.dll. As with the previous version of Purple Fox analysed, this results in msiexec.exe downloading and running the installer file and the infection chain continuing as previously detailed.

One significant difference from previous versions of Purple Fox is the use of open source code, named hidden (3. Kornev, 2019), to enable its rootkit components. This code allows Purple Fox to hide both registry keys and files from detection methods.

Indicators of Compromise

MITRE Techniques

Purple Fox Exploit Kit (2020-07-05)

On July 7th 2020 Proofpoint detailed how Purple Fox no longer relied on the RIG exploit kit (EK) to deliver its exploits (Proofpoint, 2020). Development of a new EK, dubbed Purple Fox EK, had allowed Purple Fox to continue integrating new exploits into its arsenal. That report also details the addition of vulnerabilities CVE-2020-0674 and CVE-2019-1458, a scripting engine memory corruption vulnerability in Internet Explorer and local privilege elevation vulnerability respectively, into the Purple Fox EK.

In the case of CVE-2020-0674 the Purple Fox EK targets the RegExp function within the jscript.dll file utilised by Internet Explorer. In doing so Purple Fox EK is able to import the functions GetModuleHandleA, GetProcAddress and VirtualProtect from kernel32.dll, allowing the exploit to load and trigger shellcode provided by the EK. Once the shellcode is triggered a new process is created using the function WinExec which runs the command mshta <payload url>, downloading and executing a malicious .hta file on the victim's system.

The final payload is the same as documented in 360 Total Security's initial report (360 Total Security, 2018), and  in the first section of this overview. Below is documentation on differences in the initial staging of the payload and other new observations.

The .hta file first uses Windows Management Instrumentation (WMI) to query the current Operating System (OS) version and will attempt to run the payload differently depending on the Major Version that is returned. It then creates a Wscript.Shell object which is used to execute the next steps:

• If the OS is either Windows XP or Windows Vista, the .hta executes the command msiexec /i <payload url> via the Wscript.shell object.
• If the OS is Windows 7 or any other version not specified, the .hta file uses Powershell to execute the command msiexec /i <payload url> via the Wscript.shell object

When executing the command via Powershell, if the current user does not have administrator privileges the script will attempt to gain admin privileges using local privilege escalation exploits. Purple Fox has previously been observed exploiting CVE-2018-8120 and CVE-2015-1701 via PowerSploit (documented in the previous section), however this mid-2020 version of the malware also contains a more recent privilege escalation exploit, CVE-2019-1458. Once administrator privileges are obtained, the .hta file will execute the commands documented above.

These commands download and execute a remote .msi file which contains encrypted shellcode as well as 32 and 64 bit versions of the payload. 

Indicators of Compromise

MITRE Techniques

New privilege escalation exploits (2020-10-19)

Over the years the exploitive techniques of Purple fox have improved substantially. Previous versions of the malware downloaded exploits for Local Privilege Escalation (LPE) vulnerabilities in the form of binary files renamed with image file extensions, such as update.jpg. As this technique is easily detected by antivirus and endpoint security solutions a new method was devised. The version of Purple Fox detailed in SentinelOne's analysis (13. Sentinel Labs, 2020) instead retrieves actual image files that contain the exploits embedded within them using steganography. The following PowerShell command is used to download one of the images and extract and execute the embedded LPE payload contained within:

SentinelOne also reported that two additional LPE exploits were being used by Purple Fox: CVE-2020-1054 and CVE-2019-0808. Their analysis traced the exploit binaries used to public GitHub repositories. Most notably it was discovered that these exploits set and check the value StayOnTop within the registry key HKCU\Software\7-zip in order to determine if the payload was successfully executed. This key value is not used by the legitimate 7-Zip software, providing a consistent indicator of compromise for the execution of the exploits and Purple Fox infection.

Purple Fox's code obfuscation has also been improved by using VMProtect to pack the msi files downloaded by the dropper. This makes reverse engineering the code much more complicated. However, the report indicates that the payload portion of Purple Fox has not changed substantially and still employs similar methods, such as using the open source hidden project as its rootkit, as previous versions of the payload.

Indicators of Compromise

MITRE Techniques

Spreading through SMB (2021-03-24)

Further investigation of Purple Fox over time led to the identification of a new spreading mechanism via the exploitation of Server Message Block (SMB) protocol (6. Guardicore, 2021). In addition, the malware appeared to use compromised systems as hosts for the Purple Fox payloads which would then be used to infect other systems. This method of infection allows for Purple Fox to spread without any user action, akin to a worm, where previous methods relied on victims falling for phishing attacks.

Access to compromised systems is achieved through scanning for exposed SMB ports (port TCP445), and initiating brute force attacks against the target hosts authentication systems. In the event that access is gained the malware establishes persistence by creating a service on the compromised system utilising the naming convention AC0{x}, where x represents an integer between one (1) and nine (9). The newly created service is responsible for iterating through a list of dropper URLs for the Purple Fox MSI installer. The msiexec.exe process is executed with the /i flag to install from a remote host, and the /Q flag to run without any user prompts, obscuring the operation.

During the installation process, in which the payload is deployed and executed, the malware also modifies the Windows firewall by utilising native utility netsh.exe. A new policy named ‘Qianye’ is added, with a filter (titled ‘Filter1’) to prohibit inbound traffic from all external IP addresses on ports 445, 139 and 135 (TCP and UDP). This is likely done to prevent reinfection or infection from a different attacker. An IPv6 interface is also installed on the system to later allow the malware to port scan IPv6 addresses.

After the malware has been installed and the system restarted, the malware will continue the cycle of infection by attempting to propagate from the infected machine through SMB by port scanning other devices and brute forcing authentication.

Indicators of Compromise

MITRE Techniques

CVE-2021-26411 (2021-04-14)

On April 4th 2021, HP Wolf Security carried out an investigation on a new sample of Purple Fox (7. HP Wolf Security, 2021). They discovered that it had enhanced its initial exploitation abilities through the addition of an exploit for CVE-2021-26411, another memory corruption vulnerability in Internet Explorer.

The code used by Purple Fox to exploit this vulnerability closely matches that of a proof of concept (POC) released by security researchers at Enki (8. Enki, 2021). The exploit is obfuscated in several layers and encrypted using Advanced Encryption Standard (AES), however, once the researchers were able to recover the source code they noted that the only major difference between the Enki POC and the exploit used by Purple Fox was the length of the shellcode, with the Purple Fox shellcode being several times longer than that used in the Enki POC.

As seen in previous Purple Fox infections, the initial exploitation takes place via drive-by-compromise. In this case, victims entering a search term into google visited a web page that redirects to a site hosting the Purple Fox Exploit Kit (EK).

Unlike previously observed variants of the Purple Fox EK, this variant uses geofencing to ensure that users from certain regions are not redirected to the EK, users from the UK, USA, France, Germany and the Netherlands were not targeted. However, users from Italy, Switzerland, Ireland, Sweden and Japan would be redirected and exploited if their browsers were vulnerable.

Similar to the exploit chain of Purple Fox detailed in previous sections of this report, the initial stage of the malware exploits the mshta utility to download and execute a malicious Powershell script. Once executed, if the user does not have administrative privileges, several Powershell vulnerabilities can be utilised to gain elevated privileges before the installation of the Purple Fox msi malware file.

Indicators of Compromise

MITRE Techniques

Purple Fox exploits WPAD (2021-07-01)

On July 1st 2021 Trend Micro published an analysis of Purple Fox attacks making use of Web Proxy Auto-Discovery Protocol (WPAD) domains as yet another method of infecting users with the malware (9. Trend Micro,2021). Despite the fact that WPAD attacks are well documented and the vulnerability has existed for a significant amount of time, it is still considered a viable attack technique.

WAPD is an automatic discovery protocol that locates browser configuration files on a local network. Because the domains used to locate the files are also capable of being interpreted as external domains if queried on public Domain Name System (DNS) servers, attackers can register matching domains and use them to serve malware (12. Sophos, 2016).

Targets of the malware appeared to be accessing the wpad.id domain which is situated in Indonesia based on the top level domain, i.e .id. As it stands no other countries have been found to be targeted by the malware. By implementing this technique a zero click attack, an attack that does not require user interaction, could be executed, as the WPAD URL would be accessed whenever the system is started.

To take advantage of and exploit the WPAD protocol, the Purple Fox creators registered the wpad.id domain using Cloudflare. The URL is then loaded for WPAD services, located at http://wpad[.]id/wpad[.]dat.  Once the URL is loaded it returns a Javascript version of the Internet Explorer remote code execution vulnerability CVE-2019-1367 with customised shellcode.  

The shellcode downloads the next part of the attack chain from the URL http://9kf[.]me/in[.]php?id=1.  It has been reported that the domain 9kf.me is no longer accessible but alternative domains 2kf.me and 6kf.me were active at the time of the publication of Trend Micro’s report and were observed to serve the same payload. Cloudflare servers are used to proxy the domain resolution and access to the attack chain artefacts. In their analysis of the attack chain Trend Micro observed exploits for the privilege escalation vulnerabilities CVE-2020-1054, CVE-2018-8120 and the vulnerability disclosed in MS15-051. It was found that the binary that was used to exploit MS15-051 contains a reference in a symbol file path to K8Team, which is notable as K8Team are responsible for updating and maintaining CVE exploits and different hack tools.

Indicators of Compromise

MITRE Techniques

PrintNightmare vulnerabilities (2021-07-25)

In July of 2021 it was discovered that a new proof of concept for a Windows remote printer vulnerability was accidentally disclosed. This vulnerability was dubbed PrintNightmare and appears to work on multiple fronts.  Exploiting the vulnerability can allow a user to perform remote code execution through the Windows Print Spooler service and launch attacks on other systems in a local network. In addition, as the arbitrary code is run with SYSTEM level privileges, it also serves as a local privilege escalation vulnerability and could allow attackers to gain control over high level systems such as Domain Controllers.

Shortly after this initial vulnerability was discovered it was revealed that PrintNightmare can affect almost every standard modern Windows version. The vulnerability was recognised officially as CVE-2021-34527. An article produced by 360 Total Security (10. 360 Total Security, 2021) found that Purple Fox’s botnets were using PrintNightmare to launch attacks in a cryptocurrency mining campaign.  

Following the compromise of a system, reported to be accomplished through brute force attacks against MsSQL databases, Purple Fox injects a malicious Dynamic link library named AwNKBOdTxFBP.dll into the Windows print spooler service spoolsv.exe. From spoolsv.exe the dll then injects malware into rundll32.exe and then uses Powershell to download and execute the malware on the system. At which point the victim system becomes another node in the Purple Fox botnet, carrying out cryptocurrency mining operations while attempting to move laterally and compromise other systems in the network.

Indicators of Compromise

MITRE Techniques

FoxSocket Backdoor (2021-10-19)

In October 2021 Trend Micro published a report detailing a new Purple Fox backdoor called FoxSocket, which uses WebSockets to communicate with its command-and-control (C2) servers (14. Trend Micro, 2021). The backdoor was discovered during analysis of a compromised server.

The infection chain observed was similar to previous Purple Fox infections. A drive-by compromise leads to the execution of a malicious Powershell script which executes further scripts to elevate privileges if required. The payload is then executed, dropping two components, dbcode21mk.log and setupact64.log, to the Windows directory. Registry values under the  HKLM\SYSTEM\CurrentControlSet\Control\Session Manager key are then set to move and replace sens.dll with setupact64.log upon system restart.  Some time after infection, the dropper for FoxSocket is retrieved by Purple Fox using the following Powershell commands:

The payload URLs in the commands serve two variants of an additional Powershell script that downloads the backdoor:

The two variants differ in the Base64 encoded data passed as an argument to the object downloaded from the remote server and invoked by the dropper. The data consists of configuration parameters used to choose a C2 server and set up a communications channel. Historical analysis by Trend Micro revealed that the number of available subdomains for the C2 server had increased significantly from earlier iterations of the backdoor.

The WebSocket communications used by FoxSocket allow for a bidirectional channel to be established between the victim and the C2 server.

Communication with the C2 server is established and the connection is maintained by sending keepalive messages, which prevents the connection from being closed due to inactivity. Messages are then exchanged between the victim and the C2 server to negotiate an end-to-end encrypted session. The final step involves the victim machine sending information such as username, machine name, local IP address, MAC address and Operating System version to the C2 server to establish a profile and then listening for further instructions. Trend Micro were able to discern the following commands that were observed to be sent from the C2 server:

Indicators of Compromise

MITRE Techniques

SQL Server Crypto-mining (2021-12-13)

A follow-up article to their previous analysis was produced by Trend Micro on December 13th 2021, this time investigating the use of Purple Fox malware in targeting SQL Servers for cryptocurrency mining purposes. The article also details updated techniques employed by the newer versions of the malware (5. Trend Micro, December 2021).

As with previous versions of Purple Fox, the malware creates a suspended svchost.exe process and uses it to load and execute a payload in the form of a malicious DLL. The process in later versions however is renamed to fontdrvhost.exe by the rootkit driver.  As part of its Command and Control (C2) communication, Purple Fox is capable of retrieving additional encrypted DLLs via GET requests and loading them using the injected process. The malware has three distinct ways to communicate with its C2 servers. 

The first is Domain Name System (DNS). At the start of each process execution, the malware retrieves a list of C2 IP addresses using DNS. It is important to note that the IP addresses retrieved via DNS during this stage are not the real IP addresses used for the C2 servers but encoded versions of the real IP addresses. The encoded IPs can be decoded by subtracting a fixed number from the IP addresses.

The second communication method is the User Datagram Protocol (UDP), which the malware uses for various types of messages including building a cache of IP addresses that will be used for further communication. This is done by selecting an encoded IP address retrieved by DNS, decoding the IP address and attempting to pull an IP address cache from the selected address. If at any point this fails, the DNS will attempt to pull a new encoded IP address  and the process will begin again. 

The third communication method used by the malware is Hypertext Transfer Protocol (HTTP). HTTP is used to download additional malware files to the infected system. This is done in the form of a GET request in the following format, where [Filename].moe is a malicious DLL: 

These files are then saved and loaded by the injected process which decrypts, decompresses and executes them.  Several distinct malware files have been retrieved using the above process. The first is a SQL Server scanner. This file scans local and public IP addresses for SQL Servers running on port 1433. If it discovers the service running on this port it begins a brute-force attack on the SQL Server using a ten million-strong word list.

If the brute force attempt is successful, the malware executes an SQL script which installs a backdoor on the SQL Server. This backdoor allows for the execution of malicious Powershell commands via SQL statements.

The second malware file is a Monero (XMR) Coinminer. Once the file is executed it retrieves its configuration over UDP and executes an embedded XMRig binary in order to join a configured mining pool. It was noted by Trend Micro that the likely reason that SQL Servers have been targeted is due to their more powerful hardware configuration as opposed to regular desktop PCs, which makes coin mining more effective on these systems.

There are several methods of executing commands via SQL, in this case Purple Fox has opted to use CLR Assemblies. CLR Assemblies act as a group of DLLs which can be imported into SQL Servers used to expand the native functionality of SQL Servers; however, they can also facilitate the execution of malicious binaries via SQL (15. Netspi Blog, July 2017).

Indicators of Compromise

MITRE Techniques

Dropping Purple Fox with fake Telegram Installer (2022-01-03)

On January 3rd 2022, Minerva reported Purple Fox rootkit distribution through a malicious Telegram messenger installer (11. Minerva Labs, 2022). The initial stage of the attack utilises an AutoIT compiled executable named Telegram Desktop.exe that has an icon that matches the Telegram logo in order to masquerade as a legitimate copy of the messaging software's installer. This fake installer creates a new directory, TextInputh, under C:\Users\Username\AppData\Local\Temp\ and within the folder drops two files: a legitimate Telegram installer and a malicious downloader named TextInputh.exe which is used for the next stage of the attack. 

TextInputh.exe is executed, creating a new directory under C:\Users\Public\Videos\ named 1640618495, and contacts a C2 server to retrieve two additional files: 1.rar and 7zz.exe. 1.rar is a malicious archive containing files used in the next stage of the attack while 7zz.exe is a legitimate 7-Zip archive tool used to extract the contents of 1.rar.  The 1.rar archive contains the following files: 

• 360.tct - Malicious loader DLL 
• rundll3222.exe - Legitimate Rundll executable
• svchost.txt - File containing malicious payload in the form of byte code instructions for the loader
• ojbk.exe - reflective loader 

360.tct, rundll3222.exe and svchost.txt are then copied by TextInput.exe to the ProgramData folder, renaming 360.tct to 360.dll in the process. Following this, ojbk.exe is run with the command line arguments ojbk.exe -a, the archive and the archive tool are deleted, and the process is exited. ojbk.exe is used to reflectively load the malicious 360.dll file with the "-a'' argument, this then reads the content of svchost.txt which contains byte code to execute the next stage of attack. 

First, a check is performed by the malware for the presence of 360 AV antivirus software. This is done by searching for the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe\Path.

If the key is found then the malware will drop the following five (5) additional files: Calldriver.exe, Driver.sys, dll.dll, kill.bat, speedmem2.hg.

A detailed analysis of these files was not provided by Minerva, but they are collectively utilised to shut down and disable the initiation of 360 AV and disable Windows User Account Control (UAC) by modifying the following registry keys, setting their values to zero (0):

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop

The malware then retrieves the following information from the infected system:

• Hostname
• CPU
• Memory status
• Drive Type 
• Processor Type

The malware also checks for active antivirus solutions by searching for a number of antivirus related processes active on the system. All the information gathered is then sent to a hardcoded C2 address.  The final stage of the attack consists of the download and deployment of the Purple Fox rootkit described in previous sections.

Indicators of Compromise

MITRE Techniques

References/Sources

1. (2018-09-25) 360 Total Security blog: Purple Fox Trojan burst out globally and infected more than 30,000 users [Accessed 2022-01-06]
   hxxps://blog.360totalsecurity[.]com/en/purple-fox-trojan-burst-out-globally-and-infected-more-than-30000-users/

2. (2019-09-09) Trend Micro: ‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell [Accessed 2022-01-06]  hxxps://www.trendmicro[.]com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html

3. (2019-08-22) GitHub: Jora Kornev: hidden [Accessed 2022-01-06]
   hxxps://github[.]com/JKornev/hidden

4. (2020-07-05) Proofpoint: Purple Fox EK Adds Exploits for CVE-2020-0674 and CVE-2019-1458 to its Arsenal [Accessed 2022-01-06]
   hxxps://www.proofpoint[.]com/us/blog/threat-insight/purple-fox-ek-adds-exploits-cve-2020-0674-and-cve-2019-1458-its-arsenal
   
   
5. (2021-12-13) Trend Micro: A Look Into Purple Fox’s Server Infrastructure [Accessed 2022-01-06] hxxps://www.trendmicro[.]com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html

6. (2021-03) Guardicore Labs: Purple Fox Rootkit Now Propagates as a Worm [Accessed 2022-01-06] hxxps://www.guardicore[.]com/labs/purple-fox-rootkit-now-propagates-as-a-worm/
   
   
7. (2021-04-14) HP Wolf Security Blog: From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411 [Accessed 2022-01-06]
   hxxps://threatresearch.ext.hp[.]com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/
   
   
8. (2021-04-02) Enki Blog: Internet Explorer Zero Day [Accessed 2022-02-08]
   hxxps://enki.co.kr/blog/2021/02/04/ie_0day.html
   
   
9. (2021-07-01) Trend Micro: PurpleFox Using WPAD to Target Indonesian Users [Accessed 2022-01-06] hxxps://www.trendmicro[.]com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html

10. (2021-07-25) 360 Total Security has supported the defense against PrintNightmare vulnerabilities [Accessed 2022-01-06]
    hxxps://blog.360totalsecurity[.]com/en/360-total-security-has-supported-the-defense-against-printnightmare-vulnerabilities/

11. (2022-01-03) Minerva Labs: Malicious Telegram Installer Drops Purple Fox Rootkit [Accessed 2022-01-06] hxxps://blog.minerva-labs[.]com/malicious-telegram-installer-drops-purple-fox-rootkit

12. (2016-05-25) Sophos Naked Security: When domain names attack: the WPAD name collision vulnerability [Accessed 2022-01-27]
    hxxps://nakedsecurity.sophos[.]com/2016/05/25/when-domain-names-attack-the-wpad-name-collision-vulnerability/

13. (2020-10-19) SentinelOne: Purple Fox EK | New CVEs, Steganography, and Virtualization Added to Attack Flow [Accessed 2022-01-06]
    hxxps://www.sentinelone[.]com/labs/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/
    
    
14. (2021-10-19) Trend Micro: PurpleFox Adds New Backdoor That Uses WebSockets [Accessed 2022-02-08]
    hxxps://www.trendmicro[.]com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
    
    
15. (2017-07-13) Netspi: Attacking SQL Server CLR Assemblies [Accessed 2022-02-09]
    hxxps://www.netspi.com/blog/technical/adversary-simulation/attacking-sql-server-clr-assemblies

Our findings led us to investigate an updated PurpleFox arsenal. Foregenix provide deep knowledge and experience, highly technical analysis and expert threat monitoring and correlation to have one single source of detection and response.

We have developed in-house solutions to detect and mitigate active, advanced and previously unknown threats. Contact us for more support.