Purple Fox Exploit Kit

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

• Drive by exploit attack attempting to deploy malware on a victim’s workstation
• TRU team linked the attack to Purple Fox Exploit Kit which exploits known vulnerabilities in Internet Explorer to execute malicious code
  • Additional exploit payloads are retrieved via data hidden in image files (a technique known as steganography). These payloads are customized to the target based on system configuration.
• The attacker’s objective is deployment of rootkits on end user devices.

How did we find it?

• Our Machine Learning PowerShell classifier detected obfuscated PowerShell executing as a result of a successful Internet Explorer exploit. eSentire MDR for Endpoint prevented the resulting PowerShell code from executing.
• Our 24/7 SOC was alerted and investigated

Attempted execution of malicious PowerShell code resulting from a successful Internet Explorer exploit.

What did we do?

• Alerted the customer and isolated the host as we investigated
• Confirmed the exploit attempt was blocked successfully and the customer’s workstation was not compromised
• Provided remediation recommendations and support
• TRU analyzed the attack infrastructure and exploit payloads associated to the Purple Fox threat. Information gleaned was fed back into our processes including adding further detection measures across the Atlas XDR platform to better protect our global customer base from attacks such as this.
• The investigation we performed confirmed that the PowerShell code was hidden behind several layers of obfuscation to impede analysis. Our analysts observed the code fetching a remote image in this instance. The image uses a technique known as steganography to embed data or tools within the image without changing its appearance. In this case there are three different colors used in the image and one of the color components was altered to embed the malicious tooling, a level of detail often missed without expert level threat hunting and investigation capabilities.

What can you learn from this TRU positive?

• Drive-by-exploit attacks remain a viable attack vector
  • Vulnerable applications exposed to untrusted code (such as web browsers) are most at risk
  • These attacks require no interaction from the user, simply visiting a malicious page is enough
  • Purple Fox uses several techniques to evade detection, impede analysis and customizes its behavior based on the victim’s machine.
• Preventing drive-by-exploits requires a layered defense:
  • Audit your environment and endpoints regularly to ensure endpoints are patched with the latest vendor security updates
  • Protect endpoints against malware using managed endpoint detection and response support
  • Rapid identification and containment of successful exploits is necessary to limit impact. Unsuccessful attempts still present an opportunity to shore up defenses.

If you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you partner with us for security services in order to disrupt threats before they impact your business.

Want to learn more? Connect with an eSentire Security Specialist.