Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
Purple Fox malware was first discovered in 2018 and was delivered by RIG EK (Exploit Kit). However, it has now become an independent malware with its own exploit kit framework. Like many other exploit kits, Purple Fox is regularly updating its capabilities by using different exploits that are available in the wild to obtain remote code execution and privilege escalation on vulnerable machines as well as installing backdoors and propagating to other machines.
eSentire’s Threat Response Unit (TRU) team has previously posted a TRU Positive on how Purple Fox exploited a victim’s browser to execute malicious code. While the exploit was successful, eSentire MDR for Endpoint prevented the exploit from executing the malicious PowerShell code. This malware analysis delves deeper into the technical details of how the Purple Fox malware functions and our security recommendations to protect your organization from being exploited.
eSentire’s Threat Response Unit (TRU) team recently observed multiple Purple Fox infections. The malware targets vulnerable versions of Internet Explorer (IE). The infection starts with the execution of a malicious script via mshta.exe, a utility that runs Microsoft HTML Applications (HTA) files. Mshta.exe is often abused by threat actor(s) to proxy execute malicious .hta files, Javascript, or PowerShell via VBScript.
In a recent incident, we observed Mshta.exe spawning from a vulnerable version of IE and launching a Base64-encoded PowerShell one-line command (Exhibit 1).
The command is responsible for downloading and launching the file i.php from a command and control (C2) domain. The contents of i.php file contain the char codes that are XOR’ed (XOR or "exclusive or" is a logical operator that yields true if exactly one (not both) of two conditions is true) with the hexadecimal value 0x26 (Exhibit 2).
The decoded char code script revealed another layer of a malicious PowerShell script. The script disables the Windows Defender Real-Time Protection and sets up the registry path HKCU:\Software\7-Zip.
The PowerShell script downloads the second stage payload from the C2 channel based on the OS architecture of the infected machine and sleeps for 60 seconds. Then, it checks the registry for the value “StayOnTop” under the mentioned registry path to confirm that the payload was successfully executed (Exhibit 3). It’s worth noting that the registry value resides under HKU (HKEY_USERS) Registry Hive used by LocalSystem account (HKEY_USERS\.DEFAULT\Software\7-Zip).
The script also creates a mutex Global\bF5UPnqxCnbr to avoid reinfecting the host. Purple Fox uses steganography to hide the malicious payload (Exhibit 4).
We extracted the payload from the PNG file using the section of the script that is responsible for running the retrieved 32.png payload (Exhibit 5).
It appears to be another layer of obfuscation ending with ($sheLliD[1]+$sHELlID[13]+'x') which equals to IEX (Invoke-Expression). We removed IEX and outputted the decoded script into a file. The decoded file contains the third stage payload or script (Exhibit 6). The script leverages the MsiInstallProduct (msi.dll) API to run the payload. The script contains multiple Base64-encoded payloads (Exhibit 6) as well as the PowerShell implementation of Hot Potato Windows Privilege Escalation exploit known as Tater.
If the infected user does not have administrative privileges, the script will attempt to leverage known exploits to achieve privilege escalation on the infected host.
We found that the first decoded 32-bit payload 1908832String contains the exploit for CVE-2019-0808 (Win32k Elevation of Privilege Vulnerability) with the following debugging path:
The second 32-bit executable payload 1808132String contains the exploit for CVE-2018-8120 (Win32k Elevation of Privilege Vulnerability).
The third 32-bit executable payload 1505132String contains the exploit for CVE-2015-1701 (Win32k Elevation of Privilege Vulnerability) with the following path:
The fourth 32-bit executable payload AllmakeString contains the exploit for CVE-2021-1675 (Windows Print Spooler Remote Code Execution Vulnerability) with the following path:
The fifth 32-bit DLL payload sp32String is UPX-packed and contains Base64-encoded PowerShell command (Exhibit 7). Upon decoding the PowerShell command, we found another PHP file retrieved from the same C2 domain. The PHP file appears to be an MSI executable that reaches out to the C2 to retrieve the .CAB file such as M0071.cab containing the following main components of the malware (Exhibit 8):
The above-mentioned files are dropped onto the Windows folder. The malware adds the filenames to be replaced and removed to the registry path HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ PendingFileRenameOperations:
This activity was mentioned by 360 Total Security to ensure that the malware successfully runs on the system.
File replacements upon the boot-time is done by smss.exe (Session Manager Subsystem) process (Exhibit 9).
Manually running the MSI installer without the .CAB component downloaded from C2 would yield an error saying that there is a missing M0071.cab file (Exhibit 10). If the .CAB file is present on the system, the installer would produce a “Description of dynamic conditions” message (Exhibit 11).
During the exploitation stage where Purple Fox tries to escalate user’s privilege via the previously decoded PowerShell script, the following folder from where the MSI installer runs gets created (CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL is the original name for the MSI installer):
The MSI installer runs with the command C:\Windows\system32\msiexec.exe /V and launches the VBS script that creates a firewall policy to block the inbound traffic to common ports. eSentire Threat Response Unit (TRU) assesses with high confidence that this is done to prevent machines infected with Purple Pox from being re-infected.
The malware also attempts to patch the system from the known Scripting Engine Memory Corruption Vulnerability in Internet Explorer (CVE-2020-0674) by taking the ownership of the jscript.dll after successfully exploiting the infected machine to prevent other malware competitors from exploiting the host:
"C:\Windows\SysWOW64\netsh.exe" interface ipv6 install
"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\jscript.dll
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\jscript.dll /E /P everyone:N
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\jscript.dll
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\jscript.dll /E /P everyone:N
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\cscript.exe
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\cscript.exe /E /P everyone:N
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\cscript.exe
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\cscript.exe /E /P everyone:N
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\mshtml.dll
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\mshtml.dll /E /P everyone:N
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\mshtml.dll
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\mshtml.dll /E /P everyone:N
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\SysWOW64\powercfg.exe" /S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
Purple Fox uses a unique name “qianye” for the firewall policy name. The policy name and mutex convention were previously used in RIG EK (Exploit Kit) back in 2019, which suggests that Purple Fox EK and RIG EK are related. Proofpoint researchers also mentioned that Purple Fox has built their own exploit kit to replace RIG EK.
Additionally, the PowerShell process that is spawned is responsible for rebooting the infected machine after 900 seconds (15 minutes):
This ensures that the rootkit and malware components successfully load onto the system, the dropped files are removed from the Windows folder, the registry keys and services are hidden without the user suspecting of any malicious activities.
Ms5C864EC6App DLL, which is responsible for decrypting the rootkit, is registered as a hidden service. Ms5C864EC6App DLL gets injected into svchost processes even if the infected machine boots in Safe Mode with the following arguments (Exhibits 12-13):
Upon the reboot, the service name dump_{8-random-characters} is created and Ms{8-random-characters}App.dll gets injected into svchost.exe (Exhibit 14). The service loads the rootkit driver. The main purpose of the rootkit in this sample is to hide the malicious running service as well as registry keys mentioned previously. The rootkit is named as dump_{8-random-characters}.sys and is also hidden on the infected machine (Exhibit 15).
Purple Fox stores its configuration in an encrypted format under HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlay8\Direct3D\ and leverages LOLBIN (Living Off the Land Binary), specifically mshta.exe to execute malicious commands via the following pattern, where @[email protected] is the placeholder for the command to be executed (Exhibits 16-17):
According to Guadicore research, the malware uses SMB brute-forcing to gain access to other machines that are publicly exposed on the Internet (Exhibit 18). The IP address generation algorithm was thoroughly described by Avast researchers. The extracted from memory password list contains over 4000 common words and numbers (Exhibit 19).
We extracted the following C2 IPs from the memory:
70.67.187.105:13533 | 7.82.220.180:11575 | 20.28.221.108:13934 |
157.235.223.6:14079 | 21.42.151.230:14757 | 73.65.97.5:11018 |
65.234.116.150:19258 | 183.213.144.246:15780 | 145.137.160.99:12752 |
7.38.92.10:10608 | 133.18.191.109:14047 | 241.111.127.149:19135 |
106.54.78.245:15699 | 117.144.135.187:12001 | 184.144.70.26:13453 |
76.110.192.131:16864 | 73.204.19.157:20153 | 22.197.29.184:11783 |
86.232.196.159:10225 | 20.0.180.164:10541 | 241.111.218.42:10970 |
145.9.226.86:11121 | 73.53.25.111:14220 | 77.231.42.218:13962 |
65.102.78.39:20163 | 73.39.80.243:15572 | 180.14.227.58:15075 |
65.113.193.42:10945 | 85.241.16.2:16926 | 75.126.49.16:16581 |
68.50.158.154:19791 | 53.141.203.114:14693 | 175.233.158.123:15823 |
184.166.67.206:13200 | 182.185.31.85:10895 | 179.75.18.139:17801 |
120.253.196.37:19337 | 7.38.137.122:15684 | 23.153.110.100:12855 |
The above IP addresses are resolved via DNS, specifically it reaches out to ret.6bc[.]us for DNS requests.
Our Threat Response Unit (TRU) team combines threat intelligence obtained from research and security incidents to create positive security outcomes for our customers. We are taking a holistic approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our 24/7 Cyber SOC Analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
We recommend implementing the following controls to help secure your organization against PurpleFox malware:
While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulty at which critical business decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape. Additonally, developing, and deploying endpoint detection, coupled with the ability to investigate logs and network data during active intrusions.
eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Name | Indicators |
i.php | 32d81dcfcf7ae1d000fd9332b3442eb4afa72674dda5bd0cb47c1faaa44c99b8 |
MSI Installer | 61ea42af8d93e9d6eee269c048983559f455a82ac387b3e08046cbe21a05ca64 |
M0071.cab | 42d20b11fef9c5beba6c6dbcc4d3bbd2d163bc4d50035d3604461a9c25b69e70 |
.log | 29c94fb2f3f0a3dc731854d27527f45a85d6b8658fb88e218954f5c76a93e270 |
dbcode86mk.log | 766d7995bc515cb656e91581e57217f1f745ba3136dd32ff12cf915521b129ad |
hxxps[:]//kjt[.]bar/ | C2 |
Ms5C864EC6App.dll | 682e2ab27c4c773abfd2056625cb9fe60a78039ea009e0a83fc6d0ba18b0db6d |
ret.6bc[.]us | DNS resolver domain |
import "pe" rule dbcode86mk_encrypted { meta: author = "eSentire TI" date = "04/27/2022" version = "1.0" strings: $a = {4B 65 77 44 72 69 76 65 72 33 32 48} $a1 = "KewDriver32H" condition: 1 of ($a*) and (filesize<500KB) } import "pe" rule MSI_Installer { meta: author = "eSentire TI" date = "04/27/2022" version = "1.0" strings: $msi = {D0 CF 11 E0 A1 B1 1A E1} $a1 = "CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL" $a2 = {41 70 70 50 61 74 63 68 5C 41 63 70 73 65 6E 73 2E 64 6C 6C} $a3 = {73 65 6E 73 2E 64 6C 6C} $a4 = {5B 53 79 73 74 65 6D 46 6F 6C 64 65 72 5D} condition: all of ($a*) and ($msi) and (filesize<1MB) } import "pe" rule MsApp { meta: author = "eSentire TI" date = "04/27/2022" version = "1.0" strings: $a1 = "KewService32.dll" $a2 = ".vmp1" $a3 = {2E 76 6D 70 30} $a4 = {56 69 72 74 75 61 6C 42 6F 78} condition: 3 of ($a*) and (filesize<11MB) and pe.exports("ServiceMain") and (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) }
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.