eSentire Threat Intelligence Malware Analysis: Purple Fox

Purple Fox malware was first discovered in 2018 and was delivered by RIG EK (Exploit Kit). However, it has now become an independent malware with its own exploit kit framework. Like many other exploit kits, Purple Fox is regularly updating its capabilities by using different exploits that are available in the wild to obtain remote code execution and privilege escalation on vulnerable machines as well as installing backdoors and propagating to other machines.

eSentire’s Threat Response Unit (TRU) team has previously posted a TRU Positive on how Purple Fox exploited a victim’s browser to execute malicious code. While the exploit was successful, eSentire MDR for Endpoint prevented the exploit from executing the malicious PowerShell code. This malware analysis delves deeper into the technical details of how the Purple Fox malware functions and our security recommendations to protect your organization from being exploited.

Case Study

eSentire’s Threat Response Unit (TRU) team recently observed multiple Purple Fox infections. The malware targets vulnerable versions of Internet Explorer (IE). The infection starts with the execution of a malicious script via mshta.exe, a utility that runs Microsoft HTML Applications (HTA) files. Mshta.exe is often abused by threat actor(s) to proxy execute malicious .hta files, Javascript, or PowerShell via VBScript.

Technical Analysis of Purple Fox

In a recent incident, we observed Mshta.exe spawning from a vulnerable version of IE and launching a Base64-encoded PowerShell one-line command (Exhibit 1).

The command is responsible for downloading and launching the file i.php from a command and control (C2) domain. The contents of i.php file contain the char codes that are XOR’ed (XOR or "exclusive or" is a logical operator that yields true if exactly one (not both) of two conditions is true) with the hexadecimal value 0x26 (Exhibit 2).

The decoded char code script revealed another layer of a malicious PowerShell script. The script disables the Windows Defender Real-Time Protection and sets up the registry path HKCU:\Software\7-Zip.

The PowerShell script downloads the second stage payload from the C2 channel based on the OS architecture of the infected machine and sleeps for 60 seconds. Then, it checks the registry for the value “StayOnTop” under the mentioned registry path to confirm that the payload was successfully executed (Exhibit 3). It’s worth noting that the registry value resides under HKU (HKEY_USERS) Registry Hive used by LocalSystem account (HKEY_USERS\.DEFAULT\Software\7-Zip).

The script also creates a mutex Global\bF5UPnqxCnbr to avoid reinfecting the host. Purple Fox uses steganography to hide the malicious payload (Exhibit 4).

We extracted the payload from the PNG file using the section of the script that is responsible for running the retrieved 32.png payload (Exhibit 5).

It appears to be another layer of obfuscation ending with ($sheLliD[1]+$sHELlID[13]+'x') which equals to IEX (Invoke-Expression). We removed IEX and outputted the decoded script into a file. The decoded file contains the third stage payload or script (Exhibit 6). The script leverages the MsiInstallProduct (msi.dll) API to run the payload. The script contains multiple Base64-encoded payloads (Exhibit 6) as well as the PowerShell implementation of Hot Potato Windows Privilege Escalation exploit known as Tater.

If the infected user does not have administrative privileges, the script will attempt to leverage known exploits to achieve privilege escalation on the infected host.

We found that the first decoded 32-bit payload 1908832String contains the exploit for CVE-2019-0808 (Win32k Elevation of Privilege Vulnerability) with the following debugging path:

• e:\work\*\cve-2019-0808-32-64-exp-master\cve-2019-0808\release\cve-2019-0808.pdb

The second 32-bit executable payload 1808132String contains the exploit for CVE-2018-8120 (Win32k Elevation of Privilege Vulnerability).

The third 32-bit executable payload 1505132String contains the exploit for CVE-2015-1701 (Win32k Elevation of Privilege Vulnerability) with the following path:

• c:\users\k8team\desktop\ms15-051\ms15-051\ms15-051\win32\ms15-051.pdb (the exploit code was borrowed from K8team)

The fourth 32-bit executable payload AllmakeString contains the exploit for CVE-2021-1675 (Windows Print Spooler Remote Code Execution Vulnerability) with the following path:

• e:\work\*\cve-2021-1675-lpe-exp-main\release\cve-2021-1675-lpe.pdb

The fifth 32-bit DLL payload sp32String is UPX-packed and contains Base64-encoded PowerShell command (Exhibit 7). Upon decoding the PowerShell command, we found another PHP file retrieved from the same C2 domain. The PHP file appears to be an MSI executable that reaches out to the C2 to retrieve the .CAB file such as M0071.cab containing the following main components of the malware (Exhibit 8):

• dbcode86mk.log also goes under the name sysupdate.log (likely an encrypted rootkit)
• .log also known as winupdate32.log (32-bit OS) or winupdate64.log (64-bit OS), the version on the disk would be Ms{8-random-characters}App.dll
• .xml (not included in the downloaded .CAB)

The above-mentioned files are dropped onto the Windows folder. The malware adds the filenames to be replaced and removed to the registry path HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ PendingFileRenameOperations:

• \??\C:\Windows\AppPatch\Acpsens.dll
• \??\C:\Windows\.log
• \??\C:\Windows\system32\sens.dll

This activity was mentioned by 360 Total Security to ensure that the malware successfully runs on the system.

File replacements upon the boot-time is done by smss.exe (Session Manager Subsystem) process (Exhibit 9).

Manually running the MSI installer without the .CAB component downloaded from C2 would yield an error saying that there is a missing M0071.cab file (Exhibit 10). If the .CAB file is present on the system, the installer would produce a “Description of dynamic conditions” message (Exhibit 11).

During the exploitation stage where Purple Fox tries to escalate user’s privilege via the previously decoded PowerShell script, the following folder from where the MSI installer runs gets created (CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL is the original name for the MSI installer):

• C:\Program Files\CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL\CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL

The MSI installer runs with the command C:\Windows\system32\msiexec.exe /V and launches the VBS script that creates a firewall policy to block the inbound traffic to common ports. eSentire Threat Response Unit (TRU) assesses with high confidence that this is done to prevent machines infected with Purple Pox from being re-infected.

The malware also attempts to patch the system from the known Scripting Engine Memory Corruption Vulnerability in Internet Explorer (CVE-2020-0674) by taking the ownership of the jscript.dll after successfully exploiting the infected machine to prevent other malware competitors from exploiting the host:

Purple Fox uses a unique name “qianye” for the firewall policy name. The policy name and mutex convention were previously used in RIG EK (Exploit Kit) back in 2019, which suggests that Purple Fox EK and RIG EK are related. Proofpoint researchers also mentioned that Purple Fox has built their own exploit kit to replace RIG EK.

Additionally, the PowerShell process that is spawned is responsible for rebooting the infected machine after 900 seconds (15 minutes):

• "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 900; Restart-Computer -Force

This ensures that the rootkit and malware components successfully load onto the system, the dropped files are removed from the Windows folder, the registry keys and services are hidden without the user suspecting of any malicious activities.

Ms5C864EC6App DLL, which is responsible for decrypting the rootkit, is registered as a hidden service. Ms5C864EC6App DLL gets injected into svchost processes even if the infected machine boots in Safe Mode with the following arguments (Exhibits 12-13):

• “C:\Windows\System32\svchost.exe" -k LocalService
• "C:\Windows\System32\svchost.exe" -k NetworkService
• “C:\Windows\System32\svchost.exe” -k rpcss

Upon the reboot, the service name dump_{8-random-characters} is created and Ms{8-random-characters}App.dll gets injected into svchost.exe (Exhibit 14). The service loads the rootkit driver. The main purpose of the rootkit in this sample is to hide the malicious running service as well as registry keys mentioned previously. The rootkit is named as dump_{8-random-characters}.sys and is also hidden on the infected machine (Exhibit 15).

Purple Fox stores its configuration in an encrypted format under HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlay8\Direct3D\ and leverages LOLBIN (Living Off the Land Binary), specifically mshta.exe to execute malicious commands via the following pattern, where @Cmd@ is the placeholder for the command to be executed (Exhibits 16-17):

• mshta.exe vbscript:createobject(\"wscript.shell\").run(\"@Cmd@\",0)(window.close)

According to Guadicore research, the malware uses SMB brute-forcing to gain access to other machines that are publicly exposed on the Internet (Exhibit 18). The IP address generation algorithm was thoroughly described by Avast researchers. The extracted from memory password list contains over 4000 common words and numbers (Exhibit 19).

We extracted the following C2 IPs from the memory:

The above IP addresses are resolved via DNS, specifically it reaches out to ret.6bc[.]us for DNS requests.

How eSentire is Responding

Our Threat Response Unit (TRU) team combines threat intelligence obtained from research and security incidents to create positive security outcomes for our customers. We are taking a holistic approach to combat modern cybersecurity threats by deploying countermeasures, such as:

• Implementing threat detections and BlueSteel, our machine- learning powered PowerShell classifier, to identify malicious command execution and exploitation attempts and ensure that eSentire has visibility, and detections are in place across eSentire MDR for Endpoint and MDR for Network.

• Performing proactive global threat hunts for indicators associated with Purple Fox across our entire customer base.

Our detection content is supported by investigation runbooks, ensuring our 24/7 Cyber SOC Analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire's Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against PurpleFox malware:

• Implement a Phishing and Security Awareness Training (PSAT) program that educates & informs employees on emerging threats in the threat landscape.
• Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.
• Address security issues in Active Directory: thoroughly reviewing and securing SYSVOL permissions, patching any known vulnerabilities, implementing Least-Privilege Administrative Models.

• Patch any external-facing devices and applications on an ongoing basis. Conduct regular vulnerability scans to ensure your team is staying on top of patching and identifying all known vulnerabilities.
• Consider implementing a comprehensive vulnerability management program that includes continuous awareness of the threat landscape, vulnerability scanning to understand which systems are inadvertently exposed, and disciplined patch management.

While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulty at which critical business decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape. Additonally, developing, and deploying endpoint detection, coupled with the ability to investigate logs and network data during active intrusions.

eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

• https://blog.360totalsecurity.com/en/purple-fox-trojan-burst-out-globally-and-infected-more-than-30000-users/
• https://www.proofpoint.com/us/blog/threat-insight/purple-fox-ek-adds-exploits-cve-2020-0674-and-cve-2019-1458-its-arsenal
• https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/
• https://decoded.avast.io/martinchlumecky/dirtymoe-5/#Section4-1

Indicators of Compromise

Yara Rules

import "pe"

rule  dbcode86mk_encrypted {
	meta:
		author = "eSentire TI"
		date = "04/27/2022"
		version = "1.0"
	strings:
		$a = {4B 65 77 44 72 69 76 65 72 33 32 48}
		$a1 = "KewDriver32H"
	condition:
		1 of ($a*) and (filesize<500KB) 
}

import "pe"

rule  MSI_Installer {
	meta:
		author = "eSentire TI"
		date = "04/27/2022"
		version = "1.0"
	strings:
		$msi = {D0 CF 11 E0 A1 B1 1A E1}
		$a1 = "CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL"
		$a2 = {41 70 70 50 61 74 63 68 5C 41 63 70 73 65 6E 73 2E 64 6C 6C}
		$a3 = {73 65 6E 73 2E 64 6C 6C}
		$a4 = {5B 53 79 73 74 65 6D 46 6F 6C 64 65 72 5D}
	condition:
		all of ($a*) and ($msi) and (filesize<1MB) 
}

import "pe"

rule MsApp {
	meta:
		author = "eSentire TI"
		date = "04/27/2022"
		version = "1.0"
	strings:
		$a1 = "KewService32.dll"
		$a2 = ".vmp1"
		$a3 = {2E 76 6D 70 30}
		$a4 = {56 69 72 74 75 61 6C 42 6F 78}
	condition:
		3 of ($a*) and (filesize<11MB)
		and pe.exports("ServiceMain")
		and (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)
}