Initially discovered in 2018, Purple Fox, a trojan spread by phishing emails and RIG exploits has been seen in several active campaigns since its discovery. Now the malware has added another distribution method to its tool kit. The malware is now capable of being spread via what researchers call a worm-like capability, better described as “indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes.”
The new distribution method was discovered by researchers at Guardicore Labs, who announced the discovery recently via a report. The report is technical in nature but makes for interesting reading for those following Purple Fox’s development since its discovery. The discovery was made when Guardicore Global Sensors Network (GGSN) telemetry began picking up increased Purple Fox activity in mid-2020. Activity trailed off in November that same year till January 2021, followed by another surge in inactivity. Researchers determined activity has increased 600% with the total number of attacks being estimated at 90,000.
The malware targets Windows machines to repurpose the compromised machines to host other malicious payloads. Guardicore Labs says a variety of vulnerable and exploited servers are hosting the initial malware payload, many of which are running older versions of Windows Server with Internet Information Services (IIS) version 7.5 and Microsoft FTP. The infection chain typically begins with the attackers scanning for vulnerable Internet-facing services, like vulnerable SMB services mentioned above.
Researchers have also seen attacks beginning with brute-force attacks and the use of the RIG exploit kit. As it stands 2,000 servers have been hijacked by Purple Fox to extend the malware’s botnet. Once an initial compromise is granted to a specific machine and code execution can be achieved, Purple Fox will move to ensure persistence on the machine is achieved. This is done by the creation of a new service that loops commands and pulls Purple Fox payloads from malicious URLs. Once persistence is achieved the malware will launch an MSI launcher. Researchers noted,
“The installer pretends to be a Windows Update package along with Chinese text which roughly translates to “Windows Update” and random letters. These letters are randomly generated between each different MSI installer to create a different hash and make it a bit difficult to tie between different versions of the same MSI. This is a “cheap” and simple way of evading various detection methods such as static signatures. Additionally, we have identified MSI packages with the same strings but with random null bytes appended to them in order to create different hashes of the same file.”
Purple Fox’s main malicious payload consists of three components. These include a 64bit DLL payload (winupdate64), a 32bit DLL payload (winupdate32), and an encrypted file containing a rootkit. Of the three, one of them will tamper with Windows Firewall capabilities, and filters are created to block several ports. This is done in an attempt to stop the vulnerable server from being reinfected with other malware. Providing more detail on how the malware tampers with Windows Firewall, researchers noted,
“As a part of the installation process, the malware modifies the windows firewall by executing multiple netsh commands. The malware adds a new policy named Qianye to the windows firewall. Under this policy, it creates a new filter called Filter1 and under this filter, it prohibits ports 445, 139, 135 on both TCP and UDP from any IP address on the internet (0.0.0.0) to connect to the infected machine, we believe that the attackers are doing it in order to prevent the infected machine from being reinfected, and/or to be exploited by a different threat actor.”
Purple Fox’s Use of Steganography
Just before Guardicore was to see a lull in Purple Fox activity starting November 2020, researchers at Sentinel One discovered another interesting addition to the malware. Purple Fox had begun to use steganography as a method to hide the exploit kit. Steganography traditionally involves the hiding of a message within an image. In cybersecurity terms, steganography can be defined as the hiding of a malicious script, or file, within an image. Researchers discovered that Purple Fox was making use of an image, called update.jpg, to hide the exploit kits executable. If the potential victim downloaded the image the hidden executable is sent to memory. From there code is run to decode the encrypted payload and then run it. Researchers also discovered that,
“Further, two new exploits are now being utilized to help with local privilege escalation: CVE-2020-1054 and CVE-2019-0808. Both are kernel exploits in the Win32k component. CVE-2020-1054 was patched as recently as May this year. The attacker binaries we discovered exploiting these vulnerabilities were compiled on 11 August 2020 and 10 September 2020, respectively.”
When a victim opens the image, they would simply be presented with an image of a green field and tree, similar to popular Windows wallpaper images many would have seen in the past. Importantly, if the machine had a firewall, that is configured correctly, and a decent security software package, the steganography trick would have failed. It is perhaps this failure to get past commonly used security products that may have caused those behind the malware to look for better distribution methods, including those mentioned above. At the time Sentinel One published their research they concluded that,
“The Purple Fox exploit kit is under active development. As we’ve seen since September 2018 and again in our research, the malware authors are keeping up with Microsoft patches in order to target those vulnerabilities that organizations and security teams fail to patch in a timely manner by leveraging publicly-available exploit code. This new variant also improves its ability to evade detection by adopting steganography to hide LPE binaries and makes use of commercially available software to protect its code from analysis.”
Based on recent campaigns and discoveries as well as Sentinel One’s conclusion, those behind Purple Fox’s development are continually looking for new and improved ways to distribute their malware. It would seem for now they are content with how the malware performs its tasks but seems driven to improve distribution and infection vectors.