What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Jun 03, 2022
UPDATE: CVE-2022-26134 – Confluence Zero-Day Vulnerability
THE THREAT June 3rd Update: Atlassian has released security patches to address this vulnerability. On June 2nd, 2022, Atlassian disclosed a critical vulnerability impacting the Confluence…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1200+ organizations in 75+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
May 17, 2022
Cybersecurity Leader eSentire Continues Its Commitment to Rigorous Security Standards Earning PCI DSS Certification
Waterloo, ON, May 17, 2022 — eSentire, the Authority in Managed Detection and Response (MDR), maintains one of the most secure and robust IT environments of any MDR provider in the industry. To that end, eSentire today announced that it has received the Payment Card Industry Data Security Standard (PCI DSS) certification, considered one of the most stringent and comprehensive payment card…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Jun 08, 2022

eSentire Threat Intelligence Malware Analysis: Purple Fox

12 minutes read
Speak With A Security Expert Now

Purple Fox malware was first discovered in 2018 and was delivered by RIG EK (Exploit Kit). However, it has now become an independent malware with its own exploit kit framework. Like many other exploit kits, Purple Fox is regularly updating its capabilities by using different exploits that are available in the wild to obtain remote code execution and privilege escalation on vulnerable machines as well as installing backdoors and propagating to other machines.

eSentire’s Threat Response Unit (TRU) team has previously posted a TRU Positive on how Purple Fox exploited a victim’s browser to execute malicious code. While the exploit was successful, eSentire MDR for Endpoint prevented the exploit from executing the malicious PowerShell code. This malware analysis delves deeper into the technical details of how the Purple Fox malware functions and our security recommendations to protect your organization from being exploited.

Key Takeaways:

  • Purple Fox leverages rootkit components to avoid detections by hiding registry keys and files on the infected machine.
  • The malware abuses LOLBIN (Living Off the Land Binary), specifically mshta.exe, which is a Windows binary designed to execute Microsoft HTML Application (HTA) files to defeat defensive countermeasures.
  • Purple Fox uses various publicly available exploits to obtain privilege escalation on the infected host.
  • eSentire’s Threat Response Unit (TRU) team assesses with medium confidence that the exploit kit is commonly used by Chinese threat actor(s).
  • eSentire Threat Response Unit (TRU) team assesses with high confidence that Purple Fox runs a VBS script that creates a firewall policy to block inbound traffic to common ports to prevent machines infected with Purple Pox from reinfection.
  • The malware has a worm-like capability to spread via other hosts by brute-forcing SMB credentials.
  • Purple Fox applies the workaround for CVE-2020-0674 (Scripting Engine Memory Corruption Vulnerability) and creates the firewall policy to block the common TCP ports including 135 and 445 from any external IP addresses. This is to prevent the infected host from being exploited by other exploit kits or malware.

Case Study

eSentire’s Threat Response Unit (TRU) team recently observed multiple Purple Fox infections. The malware targets vulnerable versions of Internet Explorer (IE). The infection starts with the execution of a malicious script via mshta.exe, a utility that runs Microsoft HTML Applications (HTA) files. Mshta.exe is often abused by threat actor(s) to proxy execute malicious .hta files, Javascript, or PowerShell via VBScript.

Technical Analysis of Purple Fox

In a recent incident, we observed Mshta.exe spawning from a vulnerable version of IE and launching a Base64-encoded PowerShell one-line command (Exhibit 1).

Exhibit 1: Mshta.exe spawning a malicious PowerShell command via VBScript

The command is responsible for downloading and launching the file i.php from a command and control (C2) domain. The contents of i.php file contain the char codes that are XOR’ed (XOR or "exclusive or" is a logical operator that yields true if exactly one (not both) of two conditions is true) with the hexadecimal value 0x26 (Exhibit 2).

Exhibit 2: Contents of i.php file

The decoded char code script revealed another layer of a malicious PowerShell script. The script disables the Windows Defender Real-Time Protection and sets up the registry path HKCU:\Software\7-Zip.

The PowerShell script downloads the second stage payload from the C2 channel based on the OS architecture of the infected machine and sleeps for 60 seconds. Then, it checks the registry for the value “StayOnTop” under the mentioned registry path to confirm that the payload was successfully executed (Exhibit 3). It’s worth noting that the registry value resides under HKU (HKEY_USERS) Registry Hive used by LocalSystem account (HKEY_USERS\.DEFAULT\Software\7-Zip).

Exhibit 3: The malware downloads the payload based on the OS architecture

The script also creates a mutex Global\bF5UPnqxCnbr to avoid reinfecting the host. Purple Fox uses steganography to hide the malicious payload (Exhibit 4).

Exhibit 4: 32.png file

We extracted the payload from the PNG file using the section of the script that is responsible for running the retrieved 32.png payload (Exhibit 5).

Exhibit 5: Extracted payload from 32.png

It appears to be another layer of obfuscation ending with ($sheLliD[1]+$sHELlID[13]+'x') which equals to IEX (Invoke-Expression). We removed IEX and outputted the decoded script into a file. The decoded file contains the third stage payload or script (Exhibit 6). The script leverages the MsiInstallProduct (msi.dll) API to run the payload. The script contains multiple Base64-encoded payloads (Exhibit 6) as well as the PowerShell implementation of Hot Potato Windows Privilege Escalation exploit known as Tater.

Exhibit 6: Base64-encoded payloads

If the infected user does not have administrative privileges, the script will attempt to leverage known exploits to achieve privilege escalation on the infected host.

We found that the first decoded 32-bit payload 1908832String contains the exploit for CVE-2019-0808 (Win32k Elevation of Privilege Vulnerability) with the following debugging path:

Exhibit 19: Extracted password list from memory

The second 32-bit executable payload 1808132String contains the exploit for CVE-2018-8120 (Win32k Elevation of Privilege Vulnerability).

The third 32-bit executable payload 1505132String contains the exploit for CVE-2015-1701 (Win32k Elevation of Privilege Vulnerability) with the following path:

The fourth 32-bit executable payload AllmakeString contains the exploit for CVE-2021-1675 (Windows Print Spooler Remote Code Execution Vulnerability) with the following path:

The fifth 32-bit DLL payload sp32String is UPX-packed and contains Base64-encoded PowerShell command (Exhibit 7). Upon decoding the PowerShell command, we found another PHP file retrieved from the same C2 domain. The PHP file appears to be an MSI executable that reaches out to the C2 to retrieve the .CAB file such as M0071.cab containing the following main components of the malware (Exhibit 8):

The above-mentioned files are dropped onto the Windows folder. The malware adds the filenames to be replaced and removed to the registry path HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ PendingFileRenameOperations:

This activity was mentioned by 360 Total Security to ensure that the malware successfully runs on the system.

Exhibit 7: Base64-decoded PowerShell command

Exhibit 8: Contents of the MSI file


File replacements upon the boot-time is done by smss.exe (Session Manager Subsystem) process (Exhibit 9).

Exhibit 9: smss.exe process deletes/moves the files upon startup

Manually running the MSI installer without the .CAB component downloaded from C2 would yield an error saying that there is a missing M0071.cab file (Exhibit 10). If the .CAB file is present on the system, the installer would produce a “Description of dynamic conditions” message (Exhibit 11).

Exhibit 10: Manually running the MSI installer without the .CAB component produces an error message in Chinese

Exhibit 11: The message output if the .CAB file is present on the infected machine

During the exploitation stage where Purple Fox tries to escalate user’s privilege via the previously decoded PowerShell script, the following folder from where the MSI installer runs gets created (CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL is the original name for the MSI installer):

The MSI installer runs with the command C:\Windows\system32\msiexec.exe /V and launches the VBS script that creates a firewall policy to block the inbound traffic to common ports. eSentire Threat Response Unit (TRU) assesses with high confidence that this is done to prevent machines infected with Purple Pox from being re-infected.

The malware also attempts to patch the system from the known Scripting Engine Memory Corruption Vulnerability in Internet Explorer (CVE-2020-0674) by taking the ownership of the jscript.dll after successfully exploiting the infected machine to prevent other malware competitors from exploiting the host:

"C:\Windows\SysWOW64\netsh.exe" interface ipv6 install
"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\jscript.dll
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\jscript.dll /E /P everyone:N
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\jscript.dll
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\jscript.dll /E /P everyone:N
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\cscript.exe
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\cscript.exe /E /P everyone:N
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\cscript.exe
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\cscript.exe /E /P everyone:N
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\mshtml.dll
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\mshtml.dll /E /P everyone:N
"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\mshtml.dll
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\mshtml.dll /E /P everyone:N
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\SysWOW64\powercfg.exe" /S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c

Purple Fox uses a unique name “qianye” for the firewall policy name. The policy name and mutex convention were previously used in RIG EK (Exploit Kit) back in 2019, which suggests that Purple Fox EK and RIG EK are related. Proofpoint researchers also mentioned that Purple Fox has built their own exploit kit to replace RIG EK.

Additionally, the PowerShell process that is spawned is responsible for rebooting the infected machine after 900 seconds (15 minutes):

This ensures that the rootkit and malware components successfully load onto the system, the dropped files are removed from the Windows folder, the registry keys and services are hidden without the user suspecting of any malicious activities.

Ms5C864EC6App DLL, which is responsible for decrypting the rootkit, is registered as a hidden service. Ms5C864EC6App DLL gets injected into svchost processes even if the infected machine boots in Safe Mode with the following arguments (Exhibits 12-13):

Exhibit 12: Hidden registry values

Exhibit 13: Hidden service (Ms5C864EC6App is injected into svchost.exe)

Upon the reboot, the service name dump_{8-random-characters} is created and Ms{8-random-characters}App.dll gets injected into svchost.exe (Exhibit 14). The service loads the rootkit driver. The main purpose of the rootkit in this sample is to hide the malicious running service as well as registry keys mentioned previously. The rootkit is named as dump_{8-random-characters}.sys and is also hidden on the infected machine (Exhibit 15).

Exhibit 14: Rootkit service creation and DLL loading

Exhibit 15: Hidden rootkit driver in the registry

Purple Fox stores its configuration in an encrypted format under HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlay8\Direct3D\ and leverages LOLBIN (Living Off the Land Binary), specifically mshta.exe to execute malicious commands via the following pattern, where @[email protected] is the placeholder for the command to be executed (Exhibits 16-17):

Exhibit 16: Encrypted configuration

Exhibit 17: Using LOLBIN (mshta.exe) to run malicious commands

According to Guadicore research, the malware uses SMB brute-forcing to gain access to other machines that are publicly exposed on the Internet (Exhibit 18). The IP address generation algorithm was thoroughly described by Avast researchers. The extracted from memory password list contains over 4000 common words and numbers (Exhibit 19).

Exhibit 18: Purple Fox making constant connections over port 445 to other machines on the Internet via svchost.exe process

Exhibit 19: Extracted password list from memory

We extracted the following C2 IPs from the memory:

70.67.187.105:13533 7.82.220.180:11575 20.28.221.108:13934
157.235.223.6:14079 21.42.151.230:14757 73.65.97.5:11018
65.234.116.150:19258 183.213.144.246:15780 145.137.160.99:12752
7.38.92.10:10608 133.18.191.109:14047 241.111.127.149:19135
106.54.78.245:15699 117.144.135.187:12001 184.144.70.26:13453
76.110.192.131:16864 73.204.19.157:20153 22.197.29.184:11783
86.232.196.159:10225 20.0.180.164:10541 241.111.218.42:10970
145.9.226.86:11121 73.53.25.111:14220 77.231.42.218:13962
65.102.78.39:20163 73.39.80.243:15572 180.14.227.58:15075
65.113.193.42:10945 85.241.16.2:16926 75.126.49.16:16581
68.50.158.154:19791 53.141.203.114:14693 175.233.158.123:15823
184.166.67.206:13200 182.185.31.85:10895 179.75.18.139:17801
120.253.196.37:19337 7.38.137.122:15684 23.153.110.100:12855

The above IP addresses are resolved via DNS, specifically it reaches out to ret.6bc[.]us for DNS requests.

How eSentire is Responding

Our Threat Response Unit (TRU) team combines threat intelligence obtained from research and security incidents to create positive security outcomes for our customers. We are taking a holistic approach to combat modern cybersecurity threats by deploying countermeasures, such as:

Our detection content is supported by investigation runbooks, ensuring our 24/7 Cyber SOC Analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire's Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against PurpleFox malware:

While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulty at which critical business decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape. Additonally, developing, and deploying endpoint detection, coupled with the ability to investigate logs and network data during active intrusions.

eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

Indicators of Compromise

Name Indicators
i.php 32d81dcfcf7ae1d000fd9332b3442eb4afa72674dda5bd0cb47c1faaa44c99b8
MSI Installer 61ea42af8d93e9d6eee269c048983559f455a82ac387b3e08046cbe21a05ca64
M0071.cab 42d20b11fef9c5beba6c6dbcc4d3bbd2d163bc4d50035d3604461a9c25b69e70
.log 29c94fb2f3f0a3dc731854d27527f45a85d6b8658fb88e218954f5c76a93e270
dbcode86mk.log 766d7995bc515cb656e91581e57217f1f745ba3136dd32ff12cf915521b129ad
hxxps[:]//kjt[.]bar/ C2
Ms5C864EC6App.dll 682e2ab27c4c773abfd2056625cb9fe60a78039ea009e0a83fc6d0ba18b0db6d
ret.6bc[.]us DNS resolver domain

Yara Rules

import "pe"

rule  dbcode86mk_encrypted {
	meta:
		author = "eSentire TI"
		date = "04/27/2022"
		version = "1.0"
	strings:
		$a = {4B 65 77 44 72 69 76 65 72 33 32 48}
		$a1 = "KewDriver32H"
	condition:
		1 of ($a*) and (filesize<500KB) 
}

import "pe"

rule  MSI_Installer {
	meta:
		author = "eSentire TI"
		date = "04/27/2022"
		version = "1.0"
	strings:
		$msi = {D0 CF 11 E0 A1 B1 1A E1}
		$a1 = "CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL"
		$a2 = {41 70 70 50 61 74 63 68 5C 41 63 70 73 65 6E 73 2E 64 6C 6C}
		$a3 = {73 65 6E 73 2E 64 6C 6C}
		$a4 = {5B 53 79 73 74 65 6D 46 6F 6C 64 65 72 5D}
	condition:
		all of ($a*) and ($msi) and (filesize<1MB) 
}

import "pe"

rule MsApp {
	meta:
		author = "eSentire TI"
		date = "04/27/2022"
		version = "1.0"
	strings:
		$a1 = "KewService32.dll"
		$a2 = ".vmp1"
		$a3 = {2E 76 6D 70 30}
		$a4 = {56 69 72 74 75 61 6C 42 6F 78}
	condition:
		3 of ($a*) and (filesize<11MB)
		and pe.exports("ServiceMain")
		and (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)
}

Skip To:

  • Key Takeaways:
  • Case Study
  • Technical Analysis of Purple Fox
  • How eSentire is Responding
  • Recommendations from eSentire's Threat Response Unit (TRU)
  • Appendix

Join 100,000+ Security Leaders

Get notified of the latest news, intel and helpful tools & assets. You can unsubscribe anytime.

By clicking the button below I confirm that I have read and agree to the eSentire privacy policy.

View Most Recent Blogs
eSentire Threat Response Unit (TRU)
eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.