Purple Fox Malware

Purple Fox is a combined backdoor and rootkit used in several campaigns to deliver a variety of cryptocurrency miners, ransomware, and spyware. It can also act as an exploit kit to deliver payloads, including itself, to other targets.

Threat ID:: CC-3533
Category:: Rootkit, Backdoor, Trojan, Worm
Threat Severity:: Medium
Threat Vector:: Drive by download, Malvertising, Exploit kit, Vulnerability
Published:: 9 July 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: all

Microsoft Windows

Threat details

Introduction

First observed in March 2018, Purple Fox is a combined fileless rootkit and backdoor trojan, that is also able to act as an exploit kit. Believed to be sold through several Russian-speaking hacking forums, Purple Fox has been used in a number of campaigns to deliver ransomware tools, spyware, and cryptocurrency mining malware.

Delivery

Older Purple Fox variants relied on the RIG exploit kit for delivery; with some variants also using trojanised versions of legitimate applications hosted on third-party sites for distribution.

However, in September 2019, new Purple Fox variants began to be observed that appeared to use built-in exploit kit (known as PFEK) functionality to replace RIG. At the time of publication, it thought that Purple Fox's authors included this functionality to avoid paying to use RIG.

PFEK uses the Popcash malvertising network to redirect users to attacker-controlled landing pages, where the exploit kit component attempt to fingerprint them. If any visitor matches the desired user profile, PFEK deploys an Internet Explorer scripting engine exploit alongside a local privilege escalation exploit to gain initial access.

Activities

Once present on the system, PFEK will perform several anti-analysis checks before dropping the primary Purple Fox Windows Installer (MSI) package. PFEK then register's the package as a boot-start driver before rebooting the system to ensure persistence.

When successfully executed, Purple Fox will inject a DLL containing it's rootkit into a new svchost process. It then connects to a command and control server and uploads user and system information.

Intended payloads are retrieved using either the NSIS tool in older Purple Fox versions, with newer versions using PowerShell.

Threat updates

Date	Update
24 Mar 2021	SMB worming capability A new Purple Fox variant has been discovered that uses SMB brute-force attacks to propagate automatically. This version scans randomly generated IP blocks before attempting to authenticate to any responding SMB services. If successful, it will drop a copy of itself on the affected system.
22 Oct 2020	New privilege escalation capability Purple Fox has been updated with two new privilege escalation vulnerabilities and is being used in a new malvertising campaign targeting Internet Explorer users.

Date

Update

24 Mar 2021

SMB worming capability

A new Purple Fox variant has been discovered that uses SMB brute-force attacks to propagate automatically.

This version scans randomly generated IP blocks before attempting to authenticate to any responding SMB services. If successful, it will drop a copy of itself on the affected system.

22 Oct 2020

New privilege escalation capability

Purple Fox has been updated with two new privilege escalation vulnerabilities and is being used in a new malvertising campaign targeting Internet Explorer users.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

Domains

casestudybuddy[.]club
dl[.]gblga[.]workers.dev
dl[.]fmhsi[.]workers.dev
jeitacave[.]org
nw[.]brownsine[.]com
raw[.]githack[.]xyz
rawcdn[.]githack[.]cyou
rawcdn[.]githack[.]com
rpc[.]1qw[.]us
shiory[.]annebruce[.]xyz
speedjudgmentacceleration[.]com
zopso[.]org

URLs

141[.]98[.]216[.]130/1505132[.]jpg
141[.]98[.]216[.]130/1505164[.]jpg
141[.]98[.]216[.]130/1603232[.]jpg
141[.]98[.]216[.]130/1603264[.]jpg
141[.]98[.]216[.]130/1808132[.]jpg
141[.]98[.]216[.]130/1808164[.]jpg
141[.]98[.]216[.]130/pe[.]jpg
jeitacave[.]org/ps004[.]jpg
raw[.]githack[.]xyz/1DHRBFPLZTEQRRBUB[.]jpg
raw[.]githack[.]xyz/SdTC8df7vmDNIUuV1[.]jpg
rawcdn[.]githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1505132[.]jpg
rawcdn[.]githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1505164[.]jpg
rawcdn[.]githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1808132[.]jpg
rawcdn[.]githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1808164[.]jpg
rawcdn[.]githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/1905864[.]jpg
rawcdn[.]githack[.]com/yfaOp/BEFzQ/7d0f5914392dc9688c67a2118aefafc958cb53b2/pe[.]jpg

Host indicators

Commands

netsh.exe ipsec static add policy name=qianye
netsh.exe ipsec static add filterlist name=Filter1
netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
netsh.exe ipsec static set policy name=qianye assign=y
netsh.exe ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
netsh.exe ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 netsh.exe ipsec static add filteraction name=FilteraAtion1 action=block
netsh.exe interface ipv6 install

SHA256 hashes

01662ffa9a1c637307e1d148ac2492c69d6035ca87424cbb11e44a178002abc4
07191e65af30541f71e876b6037079a070a3 4c435641897dc788c15e5f62f53c
079c13fbc30a32e4f0386cd53c56d68404961b8f1cd4d4fde1a1e9def42aa557
09a6fe2764de81c7c5d588dc0542230a0d36 aac69305139349fa43f4ab5a09d4
1209aece1f9f54e6422083791eb8a59df878f6959beae9e53736e3056459ab1e
13b0e2769d7a0b3964c4e491f90fc4518f8e5ae4d8c37082ffe764b3a174e9a7
14ae024e8e580904113eea52ce2a000b37b 2998c2f257d3bc2cd176e8d9de1a2
164e96f9c19277d40cf58102c1d6fd75dab47 bce4f79065ef996a2588b3f737a
181551603ebebbf5924247212c0ed93b6c9c4b088e612bf04f5996c227563318
321eeafe6a9dbd424bf9fdf7ded1ef18c7cab68fadb58cd0da5a1c74479a509f
33a584a0d4907b063af867fd33cc39362b74 e96e72d2ad97db7748131364eab1
3e2c3d27d06c3b8a0106282b5d24dc6a44af 7fdad74bc4993a3f3bcb7a82858d
498496827afc0aa5960d1cb1d60f7ae7699e 0906e3a8c657b6864cff10772df0
49d9f5aaeb6fd10d371afbebf33ffed184b22e66350a12a60cbbe34ff1fadf9e
507fbe71ec4e059a6cffbf1f7c075073e51c20f a1bb0c9dbc830b5ad5179450a
517a523039a21e1961088cac8236bf5f6ee1 97d6a47d08abf114ee3418af0c08
61113a0acd6469ce0d860db55c2afa3cdcba c2f5411fe8259cca43c10c042239
6bee844cdd424c970ff8bba22385ae4c1ae51c2b4e036ba1a217ba37e100530f
7465b738ba31fa2fff7fef1d770ef32e43b01d49a937b3b1c11dc2e4e45fd019
8392f7bc7bd93ab035e609619e0915b7e8c91288fc6eb19237c0e2019f8dcaa2
87ea8d5bcd1056e76af822896db63f07732d bfab3fc632e7cf13802ae68afc40
9208e853d6de61f1640822ae723e0d40730e29cef5a660419b95fd32c84c9ade
9b77436cc2d53461d0a5a69189e15bbd6cd61cb714b4c53d42e3743d515bcf26
a5a6be8b51439c793d903fb92c952c729db8 e8050010c499607ee512f42bceff
ac05a938bbfc4ff0daeb1e45b6ccfdd7cae5bd 6aa6e54c49ec6c8feef2ae06c4
b2cb65c9ac36f1e3fb31dfd5235c29b396be0 968e6b225d625dc3c8fd72395f4
b48c61983f2d453d4d6a5ff1f2c9e0e194d7ae892a2649d7bafd267082033748
babfd8e70102479dea4f239c1ee5de463af07c73a94592b390257c5b3d2878a9
ca7bd2830405ed53fd7f56738d7644ff8ecfd5 bc63d079d322c99601c6106843
cfae7a1935f0aaf0f76322f29ad0e0fd1a77d325e55fa324a0bb19e264760800
d9155d5e89692fac89a4defeb146ab6ad508 d951bc4948067b44e5d0a6582b72
db09af7752eab8227c9ee1edad061a13aba0 8a6a53289a9c9bba9da2e6cc1f5f
e30d7375f5f88847b810755f0a2cda82e8eeb084a3b989c85d6f13f6a1c01f38
e49327a62e4500ac23fa0b506c565350fbc9afd497198a8b4b8ae8f537146d53
f0b0e0548b218fb81940a4daf85c3709b2159 bb357cab2f55576af3d75d47094

Definitive source of threat updates

https://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/

CVE Vulnerabilities

Status Published

CVE-2014-6332

OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability."

Status Published

CVE-2015-1701

Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka "Win32k Elevation of Privilege Vulnerability."

Status Published

CVE-2018-8120

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2. This CVE ID is unique from CVE-2018-8124, CVE-2018-8164, CVE-2018-8166.

Status Published

CVE-2018-8174

A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

Status Published

CVE-2018-15982

Flash Player versions 31.0.0.153 and earlier, and 31.0.0.108 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution.

Status Published

CVE-2019-0808

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0797.

Status Published

CVE-2019-1458

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

Status Published

CVE-2020-1054

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1143.

Status Published

CVE-2020-0674

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767.

Last edited: 24 March 2021 10:22 am