eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Recommendations from eSentire's Threat Response Unit (TRU)
Appendix
Purple Fox malware was first discovered
in 2018 and was delivered by RIG EK (Exploit Kit). However, it has now become an independent malware with its own exploit kit framework. Like many other exploit kits, Purple Fox is regularly updating its capabilities by using different exploits that are available in the wild to obtain remote code execution and privilege escalation on vulnerable machines as well as installing backdoors and propagating to other machines.
eSentire’s Threat Response Unit (TRU) team has previously posted a TRU Positive on how Purple Fox exploited a victim’s browser to execute malicious code. While the exploit was successful, eSentire MDR for Endpoint prevented the exploit from executing the malicious PowerShell code. This malware analysis delves deeper into the technical details of how the Purple Fox malware functions and our security recommendations to protect your organization from being exploited.
Key Takeaways:
Purple Fox leverages rootkit components to avoid detections by hiding registry keys and files on the infected machine.
The malware abuses LOLBIN (Living Off the Land Binary), specifically mshta.exe, which is a Windows binary designed to execute Microsoft HTML Application (HTA) files to defeat defensive countermeasures.
Purple Fox uses various publicly available exploits to obtain privilege escalation on the infected host.
eSentire’s Threat Response Unit (TRU) team assesses with medium confidence that the exploit kit is commonly used by Chinese threat actor(s).
eSentire Threat Response Unit (TRU) team assesses with high confidence that Purple Fox runs a VBS script that creates a firewall policy to block inbound traffic to common ports to prevent machines infected with Purple Pox from reinfection.
The malware has a worm-like capability to spread via other hosts by brute-forcing SMB credentials.
Purple Fox applies the workaround for CVE-2020-0674 (Scripting Engine Memory Corruption Vulnerability) and creates the firewall policy to block the common TCP ports including 135 and 445 from any external IP addresses. This is to prevent the infected host from being exploited by other exploit kits or malware.
Case Study
eSentire’s Threat Response Unit (TRU) team recently observed multiple Purple Fox infections. The malware targets vulnerable versions of Internet Explorer (IE). The infection starts with the execution of a malicious script via mshta.exe, a utility that runs Microsoft HTML Applications (HTA) files. Mshta.exe is often abused by threat actor(s) to proxy execute malicious .hta files, Javascript, or PowerShell via VBScript.
Technical Analysis of Purple Fox
In a recent incident, we observed Mshta.exe spawning from a vulnerable version of IE and launching a Base64-encoded PowerShell one-line command (Exhibit 1).
Exhibit 1: Mshta.exe spawning a malicious PowerShell command via VBScript
The command is responsible for downloading and launching the file i.php from a command and control (C2) domain. The contents of i.php file contain the char codes that are XOR’ed (XOR or "exclusive or" is a logical operator that yields true if exactly one (not both) of two conditions is true) with the hexadecimal value 0x26 (Exhibit 2).
Exhibit 2: Contents of i.php file
The decoded char code script revealed another layer of a malicious PowerShell script. The script disables the Windows Defender Real-Time Protection and sets up the registry path HKCU:\Software\7-Zip.
The PowerShell script downloads the second stage payload from the C2 channel based on the OS architecture of the infected machine and sleeps for 60 seconds. Then, it checks the registry for the value “StayOnTop” under the mentioned registry path to confirm that the payload was successfully executed (Exhibit 3). It’s worth noting that the registry value resides under HKU (HKEY_USERS) Registry Hive used by LocalSystem account (HKEY_USERS\.DEFAULT\Software\7-Zip).
Exhibit 3: The malware downloads the payload based on the OS architecture
The script also creates a mutex Global\bF5UPnqxCnbr to avoid reinfecting the host. Purple Fox uses steganography to hide the malicious payload (Exhibit 4).
Exhibit 4: 32.png file
We extracted the payload from the PNG file using the section of the script that is responsible for running the retrieved 32.png payload (Exhibit 5).
Exhibit 5: Extracted payload from 32.png
It appears to be another layer of obfuscation ending with ($sheLliD[1]+$sHELlID[13]+'x') which equals to IEX (Invoke-Expression). We removed IEX and outputted the decoded script into a file. The decoded file contains the third stage payload or script (Exhibit 6). The script leverages the MsiInstallProduct
(msi.dll) API to run the payload. The script contains multiple Base64-encoded payloads (Exhibit 6) as well as the PowerShell implementation of Hot Potato Windows Privilege Escalation exploit known as Tater.
Exhibit 6: Base64-encoded payloads
If the infected user does not have administrative privileges, the script will attempt to leverage known exploits to achieve privilege escalation on the infected host.
We found that the first decoded 32-bit payload 1908832String contains the exploit for CVE-2019-0808
(Win32k Elevation of Privilege Vulnerability) with the following debugging path:
The second 32-bit executable payload 1808132String contains the exploit for CVE-2018-8120
(Win32k Elevation of Privilege Vulnerability).
The third 32-bit executable payload 1505132String
contains the exploit for CVE-2015-1701
(Win32k Elevation of Privilege Vulnerability) with the following path:
c:\users\k8team\desktop\ms15-051\ms15-051\ms15-051\win32\ms15-051.pdb (the exploit code was borrowed from K8team)
The fourth 32-bit executable payload AllmakeString contains the exploit for CVE-2021-1675
(Windows Print Spooler Remote Code Execution Vulnerability) with the following path:
The fifth 32-bit DLL payload sp32String is UPX-packed and contains Base64-encoded PowerShell command (Exhibit 7). Upon decoding the PowerShell command, we found another PHP file retrieved from the same C2 domain. The PHP file appears to be an MSI executable that reaches out to the C2 to retrieve the .CAB file such as M0071.cab containing the following main components of the malware (Exhibit 8):
dbcode86mk.log also goes under the name sysupdate.log (likely an encrypted rootkit)
.log also known as winupdate32.log (32-bit OS) or winupdate64.log (64-bit OS), the version on the disk would be Ms{8-random-characters}App.dll
.xml (not included in the downloaded .CAB)
The above-mentioned files are dropped onto the Windows folder. The malware adds the filenames to be replaced and removed to the registry path HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ PendingFileRenameOperations:
\??\C:\Windows\AppPatch\Acpsens.dll
\??\C:\Windows\.log
\??\C:\Windows\system32\sens.dll
This activity was mentioned
by 360 Total Security to ensure that the malware successfully runs on the system.
Exhibit 7: Base64-decoded PowerShell commandExhibit 8: Contents of the MSI file
File replacements upon the boot-time is done by smss.exe (Session Manager Subsystem) process (Exhibit 9).
Exhibit 9: smss.exe process deletes/moves the files upon startup
Manually running the MSI installer without the .CAB component downloaded from C2 would yield an error saying that there is a missing M0071.cab file (Exhibit 10). If the .CAB file is present on the system, the installer would produce a “Description of dynamic conditions” message (Exhibit 11).
Exhibit 10: Manually running the MSI installer without the .CAB component produces an error message in ChineseExhibit 11: The message output if the .CAB file is present on the infected machine
During the exploitation stage where Purple Fox tries to escalate user’s privilege via the previously decoded PowerShell script, the following folder from where the MSI installer runs gets created (CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL is the original name for the MSI installer):
The MSI installer runs with the command C:\Windows\system32\msiexec.exe /V and launches the VBS script that creates a firewall policy to block the inbound traffic to common ports. eSentire Threat Response Unit (TRU) assesses with high confidence that this is done to prevent machines infected with Purple Pox from being re-infected.
The malware also attempts to patch the system from the known Scripting Engine Memory Corruption Vulnerability in Internet Explorer (CVE-2020-0674) by taking the ownership of the jscript.dll after successfully exploiting the infected machine to prevent other malware competitors from exploiting the host:
Purple Fox uses a unique name “qianye” for the firewall policy name. The policy name and mutex convention were previously used
in RIG EK (Exploit Kit) back in 2019, which suggests that Purple Fox EK and RIG EK are related. Proofpoint researchers also mentioned
that Purple Fox has built their own exploit kit to replace RIG EK.
Additionally, the PowerShell process that is spawned is responsible for rebooting the infected machine after 900 seconds (15 minutes):
This ensures that the rootkit and malware components successfully load onto the system, the dropped files are removed from the Windows folder, the registry keys and services are hidden without the user suspecting of any malicious activities.
Ms5C864EC6App DLL, which is responsible for decrypting the rootkit, is registered as a hidden service. Ms5C864EC6App DLL gets injected into svchost processes even if the infected machine boots in Safe Mode with the following arguments (Exhibits 12-13):
Exhibit 12: Hidden registry valuesExhibit 13: Hidden service (Ms5C864EC6App is injected into svchost.exe)
Upon the reboot, the service name dump_{8-random-characters} is created and Ms{8-random-characters}App.dll gets injected into svchost.exe (Exhibit 14). The service loads the rootkit driver. The main purpose of the rootkit in this sample is to hide the malicious running service as well as registry keys mentioned previously. The rootkit is named as dump_{8-random-characters}.sys and is also hidden on the infected machine (Exhibit 15).
Exhibit 14: Rootkit service creation and DLL loadingExhibit 15: Hidden rootkit driver in the registry
Purple Fox stores its configuration in an encrypted format under HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlay8\Direct3D\ and leverages LOLBIN (Living Off the Land Binary), specifically mshta.exe to execute malicious commands via the following pattern, where @Cmd@ is the placeholder for the command to be executed (Exhibits 16-17):
Exhibit 16: Encrypted configurationExhibit 17: Using LOLBIN (mshta.exe) to run malicious commands
According to Guadicore
research, the malware uses SMB brute-forcing to gain access to other machines that are publicly exposed on the Internet (Exhibit 18). The IP address generation algorithm was thoroughly described by Avast researchers. The extracted from memory password list contains over 4000 common words and numbers (Exhibit 19).
Exhibit 18: Purple Fox making constant connections over port 445 to other machines on the Internet via svchost.exe processExhibit 19: Extracted password list from memory
We extracted the following C2 IPs from the memory:
70.67.187.105:13533
7.82.220.180:11575
20.28.221.108:13934
157.235.223.6:14079
21.42.151.230:14757
73.65.97.5:11018
65.234.116.150:19258
183.213.144.246:15780
145.137.160.99:12752
7.38.92.10:10608
133.18.191.109:14047
241.111.127.149:19135
106.54.78.245:15699
117.144.135.187:12001
184.144.70.26:13453
76.110.192.131:16864
73.204.19.157:20153
22.197.29.184:11783
86.232.196.159:10225
20.0.180.164:10541
241.111.218.42:10970
145.9.226.86:11121
73.53.25.111:14220
77.231.42.218:13962
65.102.78.39:20163
73.39.80.243:15572
180.14.227.58:15075
65.113.193.42:10945
85.241.16.2:16926
75.126.49.16:16581
68.50.158.154:19791
53.141.203.114:14693
175.233.158.123:15823
184.166.67.206:13200
182.185.31.85:10895
179.75.18.139:17801
120.253.196.37:19337
7.38.137.122:15684
23.153.110.100:12855
The above IP addresses are resolved
via DNS, specifically it reaches out to ret.6bc[.]us for DNS requests.
How eSentire is Responding
Our Threat Response Unit (TRU) team combines threat intelligence obtained from research and security incidents to create positive security outcomes for our customers. We are taking a holistic approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Implementing threat detections and BlueSteel, our machine- learning powered PowerShell classifier, to identify malicious command execution and exploitation attempts and ensure that eSentire has visibility, and detections are in place across eSentire MDR for Endpoint
and MDR for Network.
Performing proactive global threat hunts for indicators associated with Purple Fox across our entire customer base.
Our detection content is supported by investigation runbooks, ensuring our 24/7 Cyber SOC Analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
Recommendations from eSentire's Threat Response Unit (TRU)
We recommend implementing the following controls to help secure your organization against PurpleFox malware:
Address security issues in Active Directory: thoroughly reviewing and securing SYSVOL permissions, patching any known vulnerabilities, implementing Least-Privilege Administrative Models.
Patch any external-facing devices and applications on an ongoing basis. Conduct regular vulnerability scans to ensure your team is staying on top of patching and identifying all known vulnerabilities.
Consider implementing a comprehensive vulnerability management program that includes continuous awareness of the threat landscape, vulnerability scanning to understand which systems are inadvertently exposed, and disciplined patch management.
While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulty at which critical business decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape. Additonally, developing, and deploying endpoint detection, coupled with the ability to investigate logs and network data during active intrusions.
eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
import "pe"
rule dbcode86mk_encrypted {
meta:
author = "eSentire TI"
date = "04/27/2022"
version = "1.0"
strings:
$a = {4B 65 77 44 72 69 76 65 72 33 32 48}
$a1 = "KewDriver32H"
condition:
1 of ($a*) and (filesize<500KB)
}
import "pe"
rule MSI_Installer {
meta:
author = "eSentire TI"
date = "04/27/2022"
version = "1.0"
strings:
$msi = {D0 CF 11 E0 A1 B1 1A E1}
$a1 = "CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL"
$a2 = {41 70 70 50 61 74 63 68 5C 41 63 70 73 65 6E 73 2E 64 6C 6C}
$a3 = {73 65 6E 73 2E 64 6C 6C}
$a4 = {5B 53 79 73 74 65 6D 46 6F 6C 64 65 72 5D}
condition:
all of ($a*) and ($msi) and (filesize<1MB)
}
import "pe"
rule MsApp {
meta:
author = "eSentire TI"
date = "04/27/2022"
version = "1.0"
strings:
$a1 = "KewService32.dll"
$a2 = ".vmp1"
$a3 = {2E 76 6D 70 30}
$a4 = {56 69 72 74 75 61 6C 42 6F 78}
condition:
3 of ($a*) and (filesize<11MB)
and pe.exports("ServiceMain")
and (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)
}
eSentire Threat Response Unit (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
